Re: still can't route using fwmark

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: "Lloyd Standish" <lloyd@crnatural.net>
To: Thomas Jacob <jacob@internet24.de>
Cc: netfilter@vger.kernel.org
Subject: Re: still can't route using fwmark
Date: Mon, 20 Apr 2009 09:38:13 -0600	[thread overview]
Message-ID: <op.usoy1zlxx1lyi3@localhost> (raw)
In-Reply-To: <1240225752.27336.25.camel@enterprise.ims-firmen.de>

On Mon, 20 Apr 2009 05:09:12 -0600, Thomas Jacob <jacob@internet24.de> wrote:

> Take a look at the packet traversal graph, outgoing packets from local
> processes do not pass thru PREROUTING, but incoming packets do, that's
> where your markings come from. But in your case, I'm sure you want to
> select a link when the outgoing connection is first established and then
> stay with that link. Selecting a different link with the second packet
> doesn't work with NATed connections, right?
> 
> So you if you want to load balance local packets correctly as well,
> you need to put some rules into OUTPUT. Possibly that's really your
> basic problem here, but I don't have time to think about that at the
> moment.

Thomas, somehow I had the erroneous idea that ALL packets, even those originating at the local machine, go through PREROUTING.  I finally understand now why I need the OUTPUT statements.  As soon as I added those, the load balancing started to work!

There's still one aspect that is not working.  Connections to the Internet initiated from the LAN, which go though PREROUTING (but not through OUTPUT) do not get a reply.  I suspect there is something wrong with the SNAT rules intended to masquerade LAN-connected machines onto the 2 interfaces, but I still have not had time to examine the logs to try to see what is going on.

Here's a copy of my (stripped) iptables script, now load balancing over ppp0 and ppp1 for local process only.

src0=`ip route show dev ppp0 | head -n1 | cut --delimiter=" " --fields=10`
src1=`ip route show dev ppp1 | head -n1 | cut --delimiter=" " --fields=10`
gw0=`ip route show dev ppp0 | head -n1 | cut --delimiter=" " --fields=1`
gw1=`ip route show dev ppp1 | head -n1 | cut --delimiter=" " --fields=1`

iptables -t mangle -N CONNMARK1
iptables -t mangle -A CONNMARK1 -j MARK --set-mark 1
iptables -t mangle -A CONNMARK1 -j CONNMARK --save-mark
iptables -t mangle -A CONNMARK1 -j LOG --log-prefix 'iptables-mark1: ' --log-level info

iptables -t mangle -N CONNMARK2
iptables -t mangle -A CONNMARK2 -j MARK --set-mark 2
iptables -t mangle -A CONNMARK2 -j CONNMARK --save-mark
iptables -t mangle -A CONNMARK2 -j LOG --log-prefix 'iptables-mark2: ' --log-level info

iptables -t mangle -N RESTOREMARK
iptables -t mangle -A RESTOREMARK -j CONNMARK --restore-mark
iptables -t mangle -A RESTOREMARK -j LOG --log-prefix 'restore-mark: ' --log-level info

iptables -t nat -N SNAT1
iptables -t nat -A SNAT1 -j LOG --log-prefix "SNAT $src0: " --log-level info
iptables -t nat -A SNAT1 -j SNAT --to-source $src0

iptables -t nat -N SNAT2
iptables -t nat -A SNAT2 -j LOG --log-prefix "SNAT $src1: " --log-level info
iptables -t nat -A SNAT2 -j SNAT --to-source $src1
#iptables -t nat -A SNAT2 -j LOG --log-prefix "$src1: " --log-level info

# restore the fwmark on packets that belong to an existing connection
# this prerouting stuff would only be for connections initiated on the LAN

iptables -A PREROUTING -i eth0  -t mangle -m state --state ESTABLISHED,RELATED -j RESTOREMARK
iptables -A PREROUTING -i eth0 -t mangle -m mark ! --mark 0 -j RETURN
iptables -A PREROUTING -t mangle -j CONNMARK1
iptables -A PREROUTING -t mangle -m statistic --mode nth --every 2 --packet 0 -j CONNMARK2

# for local process (this has to be a new connection)
iptables -A OUTPUT -t mangle -j CONNMARK1
iptables -A OUTPUT -t mangle -m statistic --mode nth --every 2 --packet 0 -j CONNMARK2

# fox source ip address on packets to match used interface
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT1
iptables -t nat -A POSTROUTING -o ppp1 -j SNAT2
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

if ! cat /etc/iproute2/rt_tables | grep -q '^251'
then
	echo '251     rt_link1' >> /etc/iproute2/rt_tables
fi
if ! cat /etc/iproute2/rt_tables | grep -q '^252'
then
	echo '252     rt_link2' >> /etc/iproute2/rt_tables
fi

ip route flush table rt_link1 2>/dev/null
ip route add $gw0 dev ppp0 table rt_link1
ip route add default via $gw0 dev ppp0 table rt_link1

ip route flush table rt_link2 2>/dev/null
ip route add $gw1 dev ppp1 table rt_link2
ip route add default via $gw1 dev ppp1 table rt_link2

if ! ip rule show | grep -q 'rt_link2'
then
	ip rule add fwmark 1 table rt_link1
	ip rule add fwmark 2 table rt_link2
fi
ip route flush cache

Once this is working for LAN I want to try load balancing according the byte count of each interface, if that is possible.

next prev parent reply	other threads:[~2009-04-20 15:38 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-04-18  4:40 still can't route using fwmark Lloyd Standish
2009-04-18  8:23 ` Thomas Jacob
2009-04-18 17:12   ` Lloyd Standish
2009-04-18 18:48     ` Thomas Jacob
2009-04-18 19:33       ` Lloyd Standish
2009-04-18 20:58         ` Thomas Jacob
2009-04-18 21:49           ` Lloyd Standish
2009-04-19  9:00             ` Thomas Jacob
2009-04-20  5:56               ` Lloyd Standish
2009-04-20  8:48                 ` Javier Gálvez Guerrero
2009-04-20 11:44                   ` Thomas Jacob
2009-04-20 13:08                     ` Javier Gálvez Guerrero
2009-04-20 13:37                       ` Thomas Jacob
2009-04-20 15:15                         ` Javier Gálvez Guerrero
2009-04-20 18:59                           ` Thomas Jacob
2009-04-22  9:53                             ` Javier Gálvez Guerrero
2009-04-22 10:01                               ` Thomas Jacob
2009-04-20 11:09                 ` Thomas Jacob
2009-04-20 12:25                   ` Brian Austin - Standard Universal
2009-04-20 15:38                   ` Lloyd Standish [this message]
2009-04-20 19:26                     ` Thomas Jacob
2009-04-21 19:54                       ` Lloyd Standish
2009-04-22  9:35                         ` Thomas Jacob
2009-04-22 15:03                           ` Lloyd Standish
2009-04-18 23:14           ` Lloyd Standish

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=op.usoy1zlxx1lyi3@localhost \
    --to=lloyd@crnatural.net \
    --cc=jacob@internet24.de \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox