Policy routing with IPTABLES MARK (please help me)

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I have a LINUX server with two internet connections available.
I want all the traffic to go over the default route, but HTTP traffic
to go over ISP2 line.
Interfaces:
eth1 192.168.2.254  - LAN 192.168.2.x
ppp0 x.x.x.106 - remote gateway x.x.x.6  - ISP1 (default route)
eth0 192.168.164.254 - remote gateway 192.168.164.113  - ISP2 (a
hardware router)

I have the following configuration:
echo 200 gate2 >> /etc/iproute2/rt_tables

server:/etc/network# ip route
x.x.x.6 dev ppp0  proto kernel  scope link  src x.x.x.106
192.168.2.0/24 dev eth1  proto kernel  scope link  src 192.168.2.254 
192.168.164.0/24 dev eth0  proto kernel  scope link  src 192.168.164.254 
default via x.x.x.6 dev ppp0

server:/etc/network# ip route list table gate2
default via 192.168.164.113 dev eth0 

server:/etc/network# ip rule
0:      from all lookup local 
32765:  from all fwmark        1 lookup gate2 
32766:  from all lookup main 
32767:  from all lookup default 

The script:
-----------------------------------------------------
#!/bin/bash

iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -P FORWARD ACCEPT

ip route flush table gate2
ip route add default via 192.168.164.113 dev eth0 table gate2
ip rule add fwmark 0x01 table gate2
ip route flush cache

iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE

iptables -t mangle -A PREROUTING -i eth1 -s 192.168.2.0/24 -p icmp -j MARK --set-mark 0x01
iptables -t mangle -A PREROUTING -i eth1 -s 192.168.2.0/24 -p tcp -m tcp --dport 80 -j MARK --set-mark 0x01
iptables -t mangle -A PREROUTING -i eth1 -s 192.168.2.0/24 -p tcp -m tcp --dport 443 -j MARK --set-mark 0x01

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done
-------------------------------------------------------
I also mark icmp packets, that I could test my configuration using
traceroute.

It seems that my rules are working OK, with tcpdump and traceroute I
see that HTTP traffic of LAN computers go over the ISP2 line. When I
connect to the WWW page, that shows my public IP address, I see the
ISP2 line address. But after some time, part of the HTTP traffic
begins going over the default ISP1 line. I see that some HTTP traffic
goes over ISP2 line (that's good), but also it goes over default route.
And after some time, if I connect to the WWW page, that shows my
public IP address, I see the default ISP1 IP address (that's bad). I
do my test browsing from one of my LAN computers, there are other
computers working in the LAN, and perhaps their HTTP traffic goes OK
(over the ISP2 line), because with
tcpdump -i eth0 net 192.168.164 and port 80
I see that there are much HTTP traffic on the ISP2 line. Then I reboot
my server, for some time (about 10 minutes) everything works OK, but
then there comes my problem... :(

I am totally lost, I don't know how to solve this problem.... :(
Perhaps somebody can see what I am doing incorrectly. I would be very
grateful if you helped me with this issue. 

    Rokas Zakarevicius


_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux