Any help please? Thanks. El Lun, 19 de Marzo de 2007, 23:57, ArcosCom Linux User escribió: > Hi, I have a suspicious problem with multiple uplinks configuration. > First of all my configuration: > 1) kernel 2.6.20.3 > 2) iptables 1.3.7 > 3) last iproute (for masked marks) > > All wan interfaces are bridged (stp disabled) in only one interface > (wan0), all lan interfaces are bridged (stp enabled) in only one interface > (zlan0). > > The wan0 bridge is to allow UPnP works. > > To allow related incoming traffic from one fisical interface I mark > connections, and the same to allow outgoing related. > > The routing rules are the same than lartc documentation plus a rule by > interface to allow the routing using marks (masked). > > The comands I use are: > > ==BEGIN== > /sbin/ip rule del prio 50 table main > /sbin/ip rule del prio 100 fwmark 0x8000/0xf000 table 150 > /sbin/ip rule del prio 150 from 217.125.139.204/26 table 150 > /sbin/ip rule del prio 101 fwmark 0x4000/0xf000 table 151 > /sbin/ip rule del prio 151 from 80.32.61.58/24 table 151 > /sbin/ip rule del prio 200 table 200 > /sbin/ip route flush table 150 > /sbin/ip route flush table 151 > /sbin/ip route flush table 200 > /sbin/iptables -t mangle -D PREROUTING -j MARCAR_IFACE > /sbin/iptables -t mangle -F MARCAR_IFACE > /sbin/iptables -t mangle -X MARCAR_IFACE > /sbin/iptables -t mangle -F MARCAR_IFACE_TRAFICO > /sbin/iptables -t mangle -X MARCAR_IFACE_TRAFICO > /sbin/iptables -t mangle -D POSTROUTING -j MARCAR_IFACE_OUT > /sbin/iptables -t mangle -F MARCAR_IFACE_OUT > /sbin/iptables -t mangle -X MARCAR_IFACE_OUT > /sbin/iptables -t mangle -N MARCAR_IFACE > /sbin/iptables -t mangle -N MARCAR_IFACE_TRAFICO > /sbin/iptables -t mangle -A MARCAR_IFACE -j CONNMARK --restore-mark > /sbin/iptables -t mangle -A MARCAR_IFACE -m mark ! --mark 0x0000/0xf000 -j > RETURN > /sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -j > MARCAR_IFACE_TRAFICO > /sbin/iptables -t mangle -N MARCAR_IFACE_OUT > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j CONNMARK --restore-mark > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark ! --mark > 0x0000/0xf000 -j RETURN > /sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -i > wan0 -m physdev --physdev-in eth1 -m state --state NEW -j MARK --or-mark > 0x8000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -m conntrack --ctreplsrc 217.125.139.204 -j MARK --or-mark 0x8000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -m conntrack --ctrepldst 217.125.139.204 -j MARK --or-mark 0x8000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -s 217.125.139.204 -j MARK --or-mark 0x8000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -m conntrack --ctorigsrc 217.125.139.204 -j MARK --or-mark 0x8000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -m conntrack --ctorigdst 217.125.139.204 -j MARK --or-mark 0x8000 > /sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -i > wan0 -m physdev --physdev-in eth3 -m state --state NEW -j MARK --or-mark > 0x4000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -m conntrack --ctreplsrc 80.32.61.58 -j MARK --or-mark 0x4000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -m conntrack --ctrepldst 80.32.61.58 -j MARK --or-mark 0x4000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -s 80.32.61.58 -j MARK --or-mark 0x4000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -m conntrack --ctorigsrc 80.32.61.58 -j MARK --or-mark 0x4000 > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000 > -o wan0 -m conntrack --ctorigdst 80.32.61.58 -j MARK --or-mark 0x4000 > /sbin/iptables -t mangle -A MARCAR_IFACE -j CONNMARK --save-mark > /sbin/iptables -t mangle -A MARCAR_IFACE -j RETURN > /sbin/iptables -t mangle -I PREROUTING -j MARCAR_IFACE > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j CONNMARK --save-mark > /sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j RETURN > /sbin/iptables -t mangle -I POSTROUTING -j MARCAR_IFACE_OUT > /sbin/ip rule add prio 50 table main > /sbin/ip rule add prio 100 fwmark 0x8000/0xf000 table 150 > /sbin/ip rule add prio 150 from 217.125.139.204/26 table 150 > /sbin/ip route add default via 217.125.139.193 dev wan0 src > 217.125.139.204 proto static table 150 > /sbin/ip route append prohibit default table 150 metric 1 proto static > /sbin/ip rule add prio 101 fwmark 0x4000/0xf000 table 151 > /sbin/ip rule add prio 151 from 80.32.61.58/24 table 151 > /sbin/ip route add default via 80.32.61.1 dev wan0 src 80.32.61.58 proto > static table 151 > /sbin/ip route append prohibit default table 151 metric 1 proto static > /sbin/ip rule add prio 200 table 200 > /sbin/ip route add default table 200 proto static nexthop via > 217.125.139.193 dev wan0 weight 1 nexthop via 80.32.61.1 dev wan0 weight 1 > /sbin/ip route flush cache > ==END== > > I have this "output" for all chains and routes: > ==BEGIN== > === REGLAS IPTABLES PARA EL ENRUTADO === > Chain PREROUTING (policy ACCEPT 8664K packets, 5097M bytes) > num pkts bytes target prot opt in out source > destination > 1 3348K 1832M MARCAR_IFACE 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 > Chain MARCAR_IFACE (1 references) > num pkts bytes target prot opt in out source > destination > 1 3348K 1832M CONNMARK 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 CONNMARK restore > 2 2841K 1653M RETURN 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match !0x0/0xf000 > 3 507K 179M MARCAR_IFACE_TRAFICO 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 > 4 40690 2721K MARK 0 -- wan0 * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 PHYSDEV match --physdev-in eth1 > state NEW MARK or 0x8000 > 5 48680 3062K MARK 0 -- wan0 * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 PHYSDEV match --physdev-in eth3 > state NEW MARK or 0x4000 > 6 507K 179M CONNMARK 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 CONNMARK save > 7 507K 179M RETURN 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 > Chain MARCAR_IFACE_TRAFICO (1 references) > num pkts bytes target prot opt in out source > destination > Chain POSTROUTING (policy ACCEPT 16M packets, 8665M bytes) > num pkts bytes target prot opt in out source > destination > 1 6483K 3397M MARCAR_IFACE_OUT 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 > Chain MARCAR_IFACE_OUT (1 references) > num pkts bytes target prot opt in out source > destination > 1 6483K 3397M CONNMARK 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 CONNMARK restore > 2 5781K 2966M RETURN 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match !0x0/0xf000 > 3 0 0 MARK 0 -- * wan0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 ctreplsrc 217.125.139.204 MARK > or 0x8000 > 4 104K 7470K MARK 0 -- * wan0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 ctrepldst 217.125.139.204 MARK > or 0x8000 > 5 135 7091 MARK 0 -- * wan0 217.125.139.204 > 0.0.0.0/0 MARK match 0x0/0xf000 MARK or 0x8000 > 6 0 0 MARK 0 -- * wan0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 ctorigsrc 217.125.139.204 MARK > or 0x8000 > 7 0 0 MARK 0 -- * wan0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 ctorigdst 217.125.139.204 MARK > or 0x8000 > 8 0 0 MARK 0 -- * wan0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 ctreplsrc 80.32.61.58 MARK or > 0x4000 > 9 101K 7298K MARK 0 -- * wan0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 ctrepldst 80.32.61.58 MARK or > 0x4000 > 10 175 7578 MARK 0 -- * wan0 80.32.61.58 > 0.0.0.0/0 MARK match 0x0/0xf000 MARK or 0x4000 > 11 0 0 MARK 0 -- * wan0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 ctorigsrc 80.32.61.58 MARK or > 0x4000 > 12 1 48 MARK 0 -- * wan0 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 ctorigdst 80.32.61.58 MARK or > 0x4000 > 13 702K 431M CONNMARK 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 CONNMARK save > 14 702K 431M RETURN 0 -- * * 0.0.0.0/0 > 0.0.0.0/0 > === REGLAS DE ENRUTAMIENTO === > 0: from all lookup local > 50: from all lookup main > 100: from all fwmark 0x8000/0xf000 lookup uno > 101: from all fwmark 0x4000/0xf000 lookup dos > 150: from 217.125.139.204/26 lookup uno > 151: from 80.32.61.58/24 lookup dos > 200: from all lookup defecto > 32766: from all lookup main > 32767: from all lookup default > === TABLAS DE RUTAS === > === MAIN === > 217.125.139.192/26 dev wan0 proto kernel scope link src 217.125.139.204 > 80.32.61.0/24 dev wan0 proto kernel scope link src 80.32.61.58 > 192.168.3.0/24 dev zlan0 proto kernel scope link src 192.168.3.247 > 192.168.2.0/24 dev zlan0 proto kernel scope link src 192.168.2.247 > 192.168.1.0/24 dev zlan0 proto kernel scope link src 192.168.1.247 > 10.1.1.0/24 dev zlan0 proto kernel scope link src 10.1.1.6 > 169.254.0.0/16 dev zlan0 scope link > 239.0.0.0/8 dev zlan0 scope link > === wan0 TABLA 150 === > default via 217.125.139.193 dev wan0 proto static src 217.125.139.204 > prohibit default proto static metric 1 > === wan0 TABLA 151 === > default via 80.32.61.1 dev wan0 proto static src 80.32.61.58 > prohibit default proto static metric 1 > === TABLA 200 (defecto) === > default proto static > nexthop via 217.125.139.193 dev wan0 weight 1 > nexthop via 80.32.61.1 dev wan0 weight 1 > > ==END== > > The -t nat POSTROUTING rules: > ==BEGIN==Chain POSTROUTING (policy ACCEPT 58524 packets, 42M bytes) > pkts bytes target prot opt in out source > destination > 0 0 SNAT 0 -- * eth3 10.1.1.0/24 > 0.0.0.0/0 to:80.32.61.58 > 0 0 SNAT 0 -- * eth1 10.1.1.0/24 > 0.0.0.0/0 to:217.125.139.204 > 0 0 SNAT 0 -- * wan0 10.1.1.0/24 > 0.0.0.0/0 PHYSDEV match --physdev-out eth3 to:80.32.61.58 > 0 0 SNAT 0 -- * wan0 10.1.1.0/24 > 0.0.0.0/0 PHYSDEV match --physdev-out eth1 > to:217.125.139.204 > 0 0 SNAT 0 -- * eth3 10.1.1.0/24 > 0.0.0.0/0 to:80.32.61.58 > 0 0 SNAT 0 -- * eth1 10.1.1.0/24 > 0.0.0.0/0 to:217.125.139.204 > 578K 39M MASQUERADE 0 -- * wan0 10.1.1.0/24 > 0.0.0.0/0 > 0 0 MASQUERADE 0 -- * wan0:1 10.1.1.0/24 > 0.0.0.0/0 > 0 0 SNAT 0 -- * wan0 10.1.1.0/24 > 0.0.0.0/0 to:80.32.61.58 > 0 0 SNAT 0 -- * wan0 10.1.1.0/24 > 0.0.0.0/0 to:217.125.139.204 > > ==END== > > The problems I have are: > 1) If I make ssh conections from internet to the router (not to any pc > into the lan zone), sometimes the ssh sesions disconnect. > 2) If I run tcpdump as these: > tcpdump -n -i eth3 not host 80.32.61.58 > tcpdump -n -i eth1 not host 217.125.139.204 > I can see : > a) IP frames not nated, where the source address is from lan > zone. > b) Source IPs are not the correct. > With tcpdump command I expect don't see anything, instead I can see > frames as described below. > > Because the wan interface is only 1 (with 2 ip's), I only can use "-j > MASQUERADE" for the nating, I can't use -m physdev --physdev-out, > netfilter layer appears don't know what is the real outgoing interface in > the bridge wan0 and "wan0:1" is not handled by netfilter layer. > > The questions: > 1) Does anyone know if this is a known issue (the tcpdump output and > physdev issue)? > 2) Does anyone know how to use SNAT in this case (I cant use -j SNAT)? > 3) With 2.6.19.7 I were using "-m physdev --physdev-out" into the chain > "MARCAR_IFACE_OUT", but with the 2.6.20.3 updated kernel, the -m > physdev appears to be broken and I then must use -m conntrack. Is this > a good solution? > > Please, I need any help, with this configuration I discovered these > problems but I don't know how to solve them: > 1) wan0 bridge don't appears to be working 100% of time (appears that > packets from one IP in the bridge are sent to the other interface). > 2) NAT appears to be a bit confused and don't nat all packets, > MASQUERADE don't want to be working all time. > 3) -m physdev --physdev-out don't know what is the read physical > interface where the packets a sent. (Whith 2.6.19.7 kernel, this > extension were working, or, at least, there were counters in the rules. > 4) Conections from internet to the router machine are lost randomly. > > I have no problem to use POSTROUTING chain in nat table to DROP o REJECT > incorrect packets, but ... really need I to do that? > > Thanks!! All help are apretiated!! > > Regards. > > P.D.: Sorry, my english is a bit poor. > _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc