Re: ROUTING thru two LINKs problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This doesn't work, since I need to route back thru ISP1 the replyed packets from
trafic coming in thru eth0 but destined to a host after the gateway. The mark is
known only on the gatway (where netfilter is running) and the real destination
host doesn't get it.
I tryed eaven TOS that mangels the incoming packet and arives at the destination
host, but the responses for this packets aren't always replyed with the same TOS
(for ICMP it seams to work, but for tcp not), so that I couldn't (again)
distinguish this replyed packets from the destination host from established
packets of destination host startet connections.

I realised that I confused some IPs in my original message, so I'm sending again
the chema of my links and gateway and a sample trafic problem


    ISP1                           ISP2  = 200.ISP.2.18
      |                              |
      |  200.ISP.1.0/24              |  200.ISP.2.16/30
      |                              |
    ------------------------------------
    | eth0    My Gateway          eth1 | = 200.ISP.2.17 DefGW=200.ISP.2.18
    |                                  |
    |                                  |
    |                eth2              |
    ------------------------------------
                      |
                      |
      ---------------------------------
       |        |          |           |
                                       | 200.ISP.1.64/27
                                       |
                               Ex.: 200.ISP.1.65
wher I have:

ip rule from 200.ISP.1.64/27 to table ISP2
iptables -t nat -A POSTROUTING -s 200.ISP.1.64/27 -j SNAT --to 200.ISP.2.17

Lets say somebody at IP 66.1.1.1 trys to ssh my host 200.ISP.1.65. This
generates a packet with somting like:

proto=tcp src=66.1.1.1:520 dst=200.ISP.1.65:22 SYN ariving on eth0 of my gatmay

this is then routed thru eth2 reaching 200.ISP.1.65

But the ACK is something like:

proto=tcp src=200.ISP.1.65:22 dst=66.1.1.1:520 ACK ariving on eth2 of my gatway

The gateway use the rule with from=200.ISP.1.64/27 and use ISP2 routin table,
but since this packet belongs to a previous conection, SNAT doesn't take place
and the packet goes out on eth1 unchanged.
IF ISP2 doesn't care of rp_filter this would reach 66.1.1.1 correctly (thru an
other route), but this ACK packed doesn't reach 66.1.1.1 so that I presum that
ISP2 is dropping packets with src not in the expected range, in this example
200.ISP.2.16/30.

Thanks, for any help


Cópia Steve Mickeler <steve@xxxxxxxxxx>:

> 
> use iptables to mark the incoming packets and use iproute2 to route
> the
> packets back out based on the mark
> 
> Somthing like this should work:
> 
> iptables -t mangle -i eth0 -j MARK --set-mark 11
> 
> ip rule add fwmark 11 table ISP1
> 
> 
> > How can I route back thru ISP1(eth0) ONLY the packets of conections
> that first
> > started over eth0 ?
> >
> > Thanks for any help
> >
> > Alex
> >
>
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux