[redirecting back to linux-net] On Sat, 17 Dec 2005, Marco Berizzi wrote: > [Sorry for posting on this list, but I didn't have any response on > linux-net] > > Hello. > I have a pretty strange problem with routing and iptables mark. > My firewall has a classic 3 NIC config: one nic connected to the > ISP routers, one network for DMZ and the third network for my > private network. Here is the schema: > > > HUB > HDSL router----+----ADSL router > | > | > HDSL IP---eth0---ADSL IP > | > | > +-------+------+ > | | > | | > | | > | | > | +-----eth1---ADSL public network and HDSL public network > | | > | | > | | > | | > +-------+------+ > | > | > eth2---172.16.1.1 > | > | > +----Private network 172.16.0.0/23 I believe it is doing exactly what you told it to do, although obviously not what you wanted it to do. :-) > As you may see from the schema I have two internet connections: > one hdsl and one adsl (for surfing the internet). > This is the output from ip rule sh: > > 0: from all lookup local > 200: from all fwmark 0x2 lookup test > 32766: from all lookup main > 32767: from all lookup default You are telling it to use routing table test for _ALL_ packets marked with 2. > This is the relevant piece of my firewall: > > $IPTABLES -I FORWARD -s 172.16.1.15 --protocol icmp -j ACCEPT > $IPTABLES -t nat -I POSTROUTING -s 172.16.1.15 --protocol icmp -j SNAT --to > 'ADSL IP' > $IPTABLES -t mangle -I PREROUTING -s 172.16.1.15 --protocol icmp -j MARK > --set-mark 2 You are marking all ICMP packets with a source of 172.16.1.15 with 2 (note it doesn't matter what the destination IP address is in this case). > This is the output from "ip route sh table main": > > 'HDSL router ip' dev eth0 scope link > 'ADSL router ip' dev eth0 scope link > 'ADSL public network' dev eth1 proto kernel scope link src 'ADSL IP' > 'HDSL public network' dev eth1 proto kernel scope link src 'HDSL IP' > 172.16.0.0/23 dev eth2 proto kernel scope link src 172.16.1.1 > 127.0.0.0/8 dev lo scope link > default via 'HDSL router ip' dev eth0 metric 1 > > And this is the output from "ip route sh table test": > > default via 'ADSL router ip' dev eth0 metric 1 > > So far, so good. Not really. The only route in the test routing table is the default route which matches _ALL_ packets. The end result is that you have marked all ICMP packets with a source of 172.16.1.15 with 2 (regardless of the destination address), which then causes the test routing table to be used, which finally matches the test default route and causes all such packets to be routed out eth0 via the 'ADSL router ip', which is exactly what you're seeing from the tcpdump output. > If I try to ping any host on the internet from the 172.16.1.15 > box, packet are natted to 'ADSL IP' and then they are routed > through the ADSL router. But if I try to ping a system in the > DMZ with ip an address belonging to the 'HDSL public network' > I don't get any response. This is the tcpdump capture on the > eth0 for a single ip echo request: > > tcpdump -p -n -i eth0 host ip 'HDSL public network host' > 17:39:12.999287 IP 'ADSL IP' > 'HDSL public network host': ICMP echo > request, id 256, seq 6656, length 40 > 17:39:13.037471 IP 'ADSL IP' > 'HDSL public network host': ICMP echo > request, id 256, seq 6656, length 40 This is to be expected from the rules you defined. > and this the tcpdump capture on the eth2: > > tcpdump -p -n -i eth2 host ip 'HDSL public network host' > 17:39:12.999001 IP 172.16.1.15 > 'HDSL public network host': ICMP echo > request, id 256, seq 6656, length 40 > > On eth1 I don't see any packet. Because your test default route sent it out eth0. > As you may see tcpdump logs two icmp echo request > packets on the eth0 interface. Why? I believe this is normal. tcpdump sees the packet both at one of the netfilter stages (I'm not sure which but presumably FORWARD or POSTROUTING) and also at the real eth0 output device. > I'm running linux vanilla 2.6.14 on Slackware 10.2 > May anyone help me? Since as far as I can tell you don't really want to change the normal routing of the packets, I don't think you need to use the marking of packets or alternate routing tables. I hope this gives you a clue about what to change to get your desired behavior. -Bill - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
