hi Sumit,
thanks for your note.
On Sat, 2003-08-30 at 11:37, Sumit Pandya wrote:
<snip>
> have you checked with following
> # ip rule add fwmark 2 table alternative
i'm using iproute-2.4.7-7 and have no such syntax/keyword, unless you
are refering to "alternative" as en entry in /etc/iproute2/rt_tables ...
the following script for example, will not work as iptables does not
respect/use the src ip address as defined in the ip route statement:
+------------------------------+
lan_a ---> | eth0 alice eth1 | ----> isp_a
| |
+------------------------------+
here's alice's ifconfig
eth0 191.168.0.254/24
eth1 192.168.1.254/24
eth1:1 192.168.1.100/24
here's alice's default routing table:
192.168.0.0/24 dev eth0 scope link
192.168.1.0/24 dev eth1 scope link
127.0.0.0/8 dev lo scope link
iptables --append OUTPUT --table mangle --match owner \
--gid-owner 500 --jump MARK --set-mark 0x2
ip rule add fwmark 0x2 table 2
ip route add default dev eth1 src 192.168.1.100 table 2
ip route flush cache
source ip address selection is done in the output routing process which
occurs before the OUTPUT hook in netfilter, and although a route lookup
is performed with the mark, the src ip will not change -- iptable only
allows for src address in POSTROUTING.
i should also note that i just installed iptables-1.2.8-8.80.2 as
compiled by redhat, and (B) works for tcp/udp/icmp but not arp. i have
yet to discover why my build at home of 1.2.8 didn't work for icmp ...
hmmm
<snip>
> > (B)
> > iptables --append OUTPUT --table mangle --match owner \
> > --uid-owner 500 --jump MARK --set-mark 0x2
> >
> > iptables --append POSTROUTING --table nat --match mark \
> > --mark 0x2 --jump SNAT --to-source 192.168.1.100
> > ip route flush cache
> >
> > (B) is an approach to mark the locally generated packets and then snat
> > them later in the postrouting chain. this works only for tcp/udp and not
> > for icmp/arp.
> >
> > (C)
> > ip route delete 192.168.1.0/24 dev eth1
> > ip route add 192.168.1.0/24 dev eth1 src 192.168.1.100
> > ip route flush cache
> >
> > (C) uses ip src address 192.168.1.100 for all tcp/udp/icmp/arp
> > communication. OUTPUT ROUTING used the src address
> > specified in the ip route statement.
> >
> (B) and (C) are very ugly hacks
i would agress that (C) is pretty awful -- it was included just to show
that the output routing process uses the source address as specified. i
think that (B) is actually very useful -- it represents the only
solution that i know of to address this issue.
cheers & thanks
charles
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
