fwmark routing of locally generated packets

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I'm currently trying to get a Linux machine to route all traffic coming
from a certain UID over a dedicated PPP interface. After going throught
the available documentation and experimenting a bit, I settled for the
following attempt:


# 62.46.87.104 - local PPP address
# 195.4.91.104 - PPP peer
ip route add 195.3.91.104 dev ppp0 src 62.46.87.104 table special
# local for DNS etc
ip route add 192.168.1.0/24 dev eth0 src 192.168.1.1 table special
ip route add default via 195.3.91.104 src 62.46.87.104 table special
ip rule add fwmark 3 lookup special
iptables -t mangle -A OUTPUT -m owner --uid-owner freenet -j MARK --set-mark 3
ip route flush cache

This seems to work in a way. It correctly sends the packets generated by
that user out the ppp0 interface, but they don't get the correct source
address:

| sophokles:~# sh -x description.txt 
| + ip route flush table aonc
| + ip route add 195.3.91.103 dev ppp0 src 62.46.86.137 table aonc
| + ip route add 192.168.1.0/24 dev eth0 src 192.168.1.1 table aonc
| + ip route add default via 195.3.91.103 src 62.46.86.137 table aonc
| + ip rule add fwmark 3 lookup aonc
| + iptables -t mangle -A OUTPUT -m owner --uid-owner freenet -j MARK
| --set-mark 3
| + ip route flush cache
| sophokles:~# tcpdump -ni ppp0 port 22  & 
| [1] 841
| sophokles:~# tcpdump: listening on ppp0
| 
| sophokles:~# nc iwoars.net 22
| SSH-1.99-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
| 
| sophokles:~# su - freenet
| freenet@sophokles:~$ nc iwoars.net 22
| 01:25:17.044883 192.168.1.1.32848 > 217.160.110.113.22: SWE
| 1344336467:1344336467(0) win 5840 <mss 1460,sackOK,timestamp 2056533
| 0,nop,wscale 0> (DF)
| 01:25:20.043828 192.168.1.1.32848 > 217.160.110.113.22: SWE
| 1344336467:1344336467(0) win 5840 <mss 1460,sackOK,timestamp 2059533
| 0,nop,wscale 0> (DF)
| 01:25:26.042584 192.168.1.1.32848 > 217.160.110.113.22: SWE
| 1344336467:1344336467(0) win 5840 <mss 1460,sackOK,timestamp 2065533
| 0,nop,wscale 0> (DF)
| 
| freenet@sophokles:~$ 

I've read on this list that owner-based policy routing is impossible
because the routing decision is made before the packet traverses the
OUTPUT chain. However, if this is true, then I don't understand how the
packet can go out via the correct interface unless there are separate
route lookups to determine the source address and outgoing interface.

Could someone who knows please elaborate?

I have also tried, unsuccessfully, to just mangle the source address
using an iptables SNAT rule, but even though that produces correct
network traffic, it seems to break something internally that keeps the
TCP handshake from completing:

| sophokles:~# iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source
| 62.46.86.137
| sophokles:~# su - freenet
| freenet@sophokles:~$ nc iwoars.net 22
| 01:30:16.448930 62.46.86.137.32849 > 217.160.110.113.22: SWE
| 1656968486:1656968486(0) win 5840 <mss 1460,sackOK,timestamp 2356000
| 0,nop,wscale 0> (DF)
| 01:30:16.516732 217.160.110.113.22 > 62.46.86.137.32849: S
| 2293250552:2293250552(0) ack 1656968487 win 32120 <mss
| 1460,sackOK,timestamp 313375234 2356000,nop,wscale 0> (DF)
| 01:30:19.448146 62.46.86.137.32849 > 217.160.110.113.22: SWE
| 1656968486:1656968486(0) win 5840 <mss 1460,sackOK,timestamp 2359000
| 0,nop,wscale 0> (DF)
| 01:30:19.518099 217.160.110.113.22 > 62.46.86.137.32849: S
| 2293250552:2293250552(0) ack 1656968487 win 32120 <mss
| 1460,sackOK,timestamp 313375535 2356000,nop,wscale 0> (DF)
| 01:30:19.823023 217.160.110.113.22 > 62.46.86.137.32849: S
| 2293250552:2293250552(0) ack 1656968487 win 32120 <mss
| 1460,sackOK,timestamp 313375566 2356000,nop,wscale 0> (DF)
| [...]

ciao,
-- 
[*Thomas  Themel*]   Since you obviously haven't lurked enough,
[extended contact]   we subtly tell lusers to piss off via the words "piss
[info provided in]   off, luser".  
[*message header*]      - David P. Murphy in the monastery

Attachment: pgp00195.pgp
Description: PGP signature


[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux