Re: Pb routing/fwmark

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Frédéric Massot wrote:
Hi,

I have a computer which is used as router/firewall/VPN with four network card. One connected on the LAN (br0, 10.0.0.0/24), the three others to three different ISP, eth0 192.168.1.0/29, eth1 192.168.0.0/24, eth2 192.168.2.0/29.

This computer is under Linux 2.6.11 with the Julian Anastasov routes patch.

The configuration by default is to balance the load on the three interfaces.

Then, I must route certain service to certain interfaces :

- LAN to Internet 3389/TCP --> eth2
- Router to Internet 25/TCP --> eth2
- LAN to Internet 80/TCP --> eth1

I have this routing policy :

$ ip rule
0:      from all lookup local
50:     from all lookup main
101:    from all fwmark 0xd3d lookup 203
103:    from all fwmark 0x19 lookup 203
104:    from all fwmark 0x50 lookup 202
201:    from 192.168.1.0/29 lookup 201
202:    from 192.168.0.0/24 lookup 202
203:    from 192.168.2.0/29 lookup 203
222:    from all lookup 222
32766:  from all lookup main
32767:  from all lookup default

$ ip route list table main
193.253.176.56 dev eth0  scope link
81.56.255.222 dev eth1  scope link
195.6.84.110 dev eth2  scope link
192.168.2.0/29 dev eth2  proto kernel  scope link  src 192.168.2.1
192.168.1.0/29 dev eth0  proto kernel  scope link  src 192.168.1.1
192.168.254.0/26 dev eth0  scope link
10.0.0.0/24 dev br0  proto kernel  scope link  src 10.0.0.3
192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1

$ ip route list table 201
default via 192.168.1.6 dev eth0  proto static  src 192.168.1.1
prohibit default  proto static  metric 1

$ ip route list table 202
default via 192.168.0.6 dev eth1  proto static  src 192.168.0.1
prohibit default  proto static  metric 1

$ ip route list table 203
default via 192.168.2.6 dev eth2  proto static  src 192.168.2.1
prohibit default  proto static  metric 1

$ ip route list table 222
default  proto static
        nexthop via 192.168.1.6  dev eth0 weight 1
        nexthop via 192.168.0.6  dev eth1 weight 4
        nexthop via 192.168.2.6  dev eth2 weight 4


And, I mark the paquet with this rule :

iptables -t mangle -A PREROUTING -p tcp --dport 3389 -j MARK --set-mark 3389
iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 25
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 80



My problem, is that the HTTP is to route to all the interfaces, the SMTP seems to be route to the good interface (eth2), and the TSE (3389) is route to all the interfaces.

I do not understand which is the problem, can you help me ?


Hi,

In my preceding example, I had enabled the connection tracking:

iptables -t mangle -A PREROUTING -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t mangle -A POSTROUTING -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

And, I mark the paquet with this rule :

iptables -t mangle -A PREROUTING -p tcp --dport 3389 -j MARK --set-mark
 3389
iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 25
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 80

That did not run ! :(

I disabled the connexion tracking and I modified the rules like this, and that seems to run :

iptables -t mangle -A FORWARD -o eth0 -p tcp --dport 3389 -j MARK --set-mark 3389 iptables -t mangle -A FORWARD -o eth1 -p tcp --dport 3389 -j MARK --set-mark 3389 iptables -t mangle -A FORWARD -o eth2 -p tcp --dport 3389 -j MARK --set-mark 3389

iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 3389 -j MARK --set-mark 3389 iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 3389 -j MARK --set-mark 3389 iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 3389 -j MARK --set-mark 3389

iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 3389 -j MARK --set-mark 3389

iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 25 -j MARK --set-mark 25
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 25 -j MARK --set-mark 25
iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 25 -j MARK --set-mark 25

iptables -t mangle -A FORWARD -o eth0 -p tcp --dport 80 -j MARK --set-mark 80 iptables -t mangle -A FORWARD -o eth1 -p tcp --dport 80 -j MARK --set-mark 80 iptables -t mangle -A FORWARD -o eth2 -p tcp --dport 80 -j MARK --set-mark 80

iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j MARK --set-mark 80
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 80 -j MARK --set-mark 80
iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 80 -j MARK --set-mark 80

iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 80 -j MARK --set-mark 80


Can you say to me if it is the good method?

I am astonished to mark the packets on the three output interface.

Regards.
--
==============================================
|              FREDERIC MASSOT               |
|     http://www.juliana-multimedia.com      |
|   mailto:frederic@xxxxxxxxxxxxxxxxxxxxxx   |
===========================Debian=GNU/Linux===

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux