Objective:
All web traffic originating from my proxy server should be forwarded through interface eth2 instead of the default eth0. The reply should take the same path back to the proxy server.
Problem:
On the return bout, the kernel doesn’t pass the packet to the higher layers. The reply seems to be getting tossed away between PREROUTING and INPUT Netfilter chains.
Host Setup:
Kernel Version: 2.4.22 with Netfilter base patches from CVS Sept. 10; Redhat 9 options w/all Netfilter modules
Network Map: eth0 --- Default Route, Default Internet Access eth2 -| eth3 -|- Alternative Internet Access eth4 -|
Relevant Configuration: <Squid proxy is set to use <eth2_ip> as its outgoing address> iptables -t mangle -A OUTPUT -m owner --uid-owner squid1 -p tcp --dport 80 -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -o eth2 --source ! <eth2_ip> -j DROP ip rule add fwmark 1 table 100 ip route add default via <eth2_gw> src <eth2_ip> dev eth2 table 100 <Logs for mangle in,out.pre,post> <NAT / Filter tables are basically empty for this test>
Results:
Sep 22 11:20:02 gw2 kernel: OUTPUT - IN= OUT=eth0 SRC="" DST=216.239.39.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26601 DF PROTO=TCP SPT=37984 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 <Strange that the first round of routing didn't use the <eth2_ip> to force the outgoing interface> Sep 22 11:20:02 gw2 kernel: POSTROUTING - IN= OUT=eth2 SRC="" DST=216.239.39.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26602 DF PROTO=TCP SPT=37984 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 <Ok, its looking better after the fwmark is processed> Sep 22 11:20:02 gw2 kernel: PREROUTING - IN=eth2 OUT= MAC=00:05:5d:64:9a:f2:00:00:77:92:56:92:08:00 SRC="" DST=<eth2_ip> LEN=44 TOS=0x00 PREC=0x00 TTL=240 ID=16723 PROTO=TCP SPT=80 DPT=37984 WINDOW=8190 RES=0x00 ACK SYN URGP=0 <IP_CONNTRTACK detects SYN_RECV> <netstat detects SYN_SENT> <Kernel retries sending SYN until timeout> <So, it never reaches back up to the socket layer... I’m screwed>
|