Re: Splitting locally generated traffic based on destination port

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Arthur Donkers wrote:

> My question now is how to define a policy so specific traffic, generated
> locally by sendmail and ssh, uses eth0 as its interface in stead of eth1
> which is used for the default route ?
> 
> I already mark outgoing traffic in the mangle table thus
> iptables -A OUTPUT -t mangle -p tcp --dport 25 -j MARK --set-mark 1
> I have to SNAT outgoing traffic as well:
> iptables -A POSTROUTING -t nat -m mark --mark 1 -j SNAT --to-source <eth0>
> I have added a table mail.out to /etc/iproute2/rt_tables and defined rules
> like this:
> ip rule add fwmark 1 table mail.out
> ip route add default via <gw on eth0 network> dev eth0 src <eth0>

 >

> And when I do this:
> telnet <mailhost> 25
> 
> I indeed see a SYN packet coming out of eth0 to <mailhost>, and a SYN/ACK
> packet comes back. The problem is that it appears that the Linux box does
> not see this SYN/ACK packet and resends the SYN packet after a few
> seconds, which again is answered by a SYN/ACK and this goes on a few
> times. No other packet filters are active on the Linux box (yet).


Hello Arthur,

I´m not a professional in routing, but I think I´ve read something about 
the routing mechanism:


Packet ---> Table PREROUTING -+-> Table FORWARD  -+-> Table POSTROUTING
                               |                   |    (and then out)
                               +-> Table INCOMING  |
                                                   |
                                   Table OUTGOING -+

The problem is, that the routing decision is done AFTER processing the 
forward table, but BEFORE the postrouting table (NAT). So it is possible 
to modify the packets in POSTROUTING that way, that they will go out via 
device A, but have the ip of the other device B.
If the "answer" packet comes in at A (but are addressed to B), the 
address will be checked and device A drops (/does not listen to) them. 
("Hey, that packet is not for me !").

Possible unclean variant to fix that would be to put device A in the so 
called "promisc" (promiscueing ?) mode, where all packets are processed.

Clean variant is _not_ to do NAT by the filter. Make the _routing_ 
decision depending on the filter. And NAT is done afterwards based on 
the routing.


Hope I told not too much wrong,
Sebastian

-=> Sebastian Bleikamp
-=> EMail: <Sebastian.Bleikamp@web.de>
-=> Phone: +49-172-6545394

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux