Re: [LARTC] port-mapping with 2 isps

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



[ Diego; I figured others would be interested in this answer, so I am
  copying the list. ]

 : > See the thread which starts here:
 : >
 : >   http://mailman.ds9a.nl/pipermail/lartc/2003q2/007952.html
 : >
 : > And the magic happens here:
 : >
 : >   http://mailman.ds9a.nl/pipermail/lartc/2003q2/008090.html
 :
 : thanks a lot! maybe i can now see some light on this problem :)
 :
 : i was thinking in mark'ing the output packet on the host server (with
 : the same mark i'm using on the router box to route through the
 : non-default gw) if i understood correctly, this is what has been done
 : on the example below ...

Not quite (if I understand your explanation).  First and foremost, the
fwmark is packet meta-data which does not survive once the packet leaves a
router.

The cleverness of the solution is to take advantage of the connection
tracking mechanism (which keeps state), to set an fwmark on a packet as
soon as the packet enters the machine.

Now your stateless IP routing mechanism (FIB || RPDB + routing tables)
makes a decision based on the packet and the meta-data (fwmark).

 : iptables -t mangle -I PREROUTING -m conntrack --ctstate DNAT \
 :   --ctorigdst eee.fff.ggg.11 -j MARK --set-mark 2
 :
 : ip rule add fwmark 2 table T2
 :
 : but yet i don't understand why rp_filter should be turned off...

rp_filter (reverse path filtering) described:

  http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN616

rp_filter is a sysctl which tells your linux box to take some
anti-spoofing measures.  Naturally, this anti-spoofing technique works to
your disadvantage if you wish to be able to reach a particular network (in
this case 0/0) through multiple interfaces.  So, if you don't want the
kernel happily throwing away packets arriving on unexpected interfaces,
simply put a lightweight zero in rp_filter.

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx



[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux