Re: Re: multiple routing tables for internal router programs

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Andrea wrote:
This is the exact way that I used for managing traffic of my lan towards ISPs. But is this mode still valid if I want to manage services executed directly in the router? 

this rule:

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
capture all (web) traffic that crosses my router. Can I capture only the (web) traffic generated from my router and directed to internet?
Anymore, I don't need it more: I've resolved my problem, the conflict between a "ping script" (that I'm writing for multiple gateway testing)and servers executed in router too: first version of my script sets a default gateway for testing it with ping, now I've discovered that I can use a specific route involving the gateway without setting default gateway, a much better solution.
It can and can not be done at the same time, depends on what you are doing. Normally for bound services you have this: 

o	Service is bound to a specific IP 1.2.3.4
o	Its outgoing packet has SRC of 1.2.3.4
o	You mark it in the OUTPUT chain based on that SRC
o	The routing (which occurs after OUTPUT) acts on the MARK

Now what happens when there is no specific binding (you send from 0.0.0.0):

o	Program requests a socket from the kernel, supplying only a DST
o The kernel consults the _default_ routing table (because it does not know any better, there are no marks yet), and _assigns_ a SRC that seems the closest to this particular DST 
o	Everything else happens as in the scenario above
So depending on what you are doing it might help you or it might drive you insane. In your case it plays out nicely - you can request a specific interface (what you would do with the ping script), and you are guaranteed that packets are going this direction. But if you want to _balance_ locally generated traffic - you can not do anything short of NATing local connections (ugly), because the routing sort of happens before netfilter had a chance to play. 


_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux