From: "Usuário do Sistema" <maiconlp@ig.com.br>
To: netfilter@vger.kernel.org
Subject: Cache Route Iproute2
Date: Mon, 2 May 2011 18:44:56 -0300 [thread overview]
Message-ID: <BANLkTinzYqaO0=Q8PM5KBmwE4sFMEgCyPw@mail.gmail.com> (raw)
Hello everyone, I'm a problem with cache iproute2. I have two
firewalls ( FwBuillder 4.1.0 ) connected each other by OpenVpn.
I have some web servers in my head office local network which have ip
128.2.0.0/16 ( strange but my head office local network has an range
valid IP ).
In my branch office I have two connections with Internet which one is
dedicated to OpenVpn and other is to users access Inetrnet.
my branch office users need access my web servers in my head office by
OpenVpn...so I've created , in my branch office firewall, an route
table call "internet" to forward data flow by my second Internet
Link.in others words, when flow data is different of 128.2.0.0/16 port
80 it must out by Inetrnet second link and when it is to network
128.2.0.0/16 it must out by vpn link
follow my scripts:
#!/bin/sh
echo -n "unable rp_filter..."
for eee in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $eee
done
cat /proc/sys/net/ipv4/conf/*/rp_filter
echo " [OK]"
## tag out by Internet second link
/sbin/iptables -t mangle -A PREROUTING -i eth0 -s 192.100.100.0/24 -d
! 128.2.0.0/16 -p tcp --dport 80 -j MARK --set-mark 1
/sbin/iptables -t mangle -A PREROUTING -i eth0 -s 192.100.100.0/24 -d
! 128.2.0.0/16 -p tcp --dport 443 -j MARK --set-mark 1
ip rule del fwmark 1
ip route flush table internet
ip rule add fwmark 1 table internet prio 20
ip route add default via 200.108.139.1 table internet >> MY SECOND
INTERNET LINK. ONLY INTERNET ACCESS USERS
ip route flush cache
the problem is sometime my data flow destination 128.2.0.0/16 port 80
it's be forward by gateway 200.108.139.1 ( route table internet )
instead go out by my main route table where is my openvpn routes!!
seems that is occurring routing cache in iproute2 because when I run
the command " ip route flush table internet " all it's work...
the data flow to network 128.2.0.0 port 80 go out by my main route
table where is my openvpn routes.
why it's sometimes occur of the data flow to 128.2.0.0/16 port 80 be
forward by table internet instead be handled by my main route table??
any tip??
thank!!
reply other threads:[~2011-05-02 21:44 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='BANLkTinzYqaO0=Q8PM5KBmwE4sFMEgCyPw@mail.gmail.com' \
--to=maiconlp@ig.com.br \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).