Re: Problems with policy based routing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From "rwaeger@xxxxxxxxxx" <rwaeger@xxxxxxxxxx> on 16 May 2003:

Apologies if I am stating the obvious here.
But based on your description:

> We're trying to setup a policy based Linux router to route "normal" 
> services (like http(s) or ftp) over a DSL line and all other services
> (like smtp, ssh, pop3) over a leased line. The leased line router is 
> listening to an official IP net. There are some internal servers (mail 
> and web) which are using official IPs (but nated at Firewall-1). All 
> traffic for and from these servers have to go over eth1. 
 
It seems logical to me to configure the "main" routing tables as if the
DSL line didn't exist i.e.:

- Add routes so that any traffic for the internal network is sent via eth0.
- Add a default route that points to eth1 (the leased line) to handle
  everything else.

Then create a second routing table "dslout" which handles the DSL line i.e.:

- Add routes so that any traffic for the internal network is sent via eth0.
- Add routes for any special cases that are needed on the leased line
  (via eth1). Special cases are only for specific IP?s such as
  administrative interfaces on routers (on the leased line).
- Add a default route that points to eth2 (the DSL line) to handle
  everything else.


Add the rule using a fwmark:

ip rule add fwmark 1 table dslout


Then use iptables to mark the packets

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp --dport ftp -j MARK --set-mark 1


I know this is pretty similar to what you have already, however there
are a few changes that I would like to highlight:

- It is not necessary to specify source or destination IP addresses
  in the marking rules as either routing table will handle the 
  packets correctly.
- I am only using one fwmark because I do not believe the second
  fwmark gains anything.
- I am not adding a mangle rule for ftp-data because this will only
  catch passive ftp connections.
- I am not certain but I believe that if you insmod the Linux ftp
  conntrack module it should route ftp data along the same route as
  the original control connection. Note: You may need to add some state
  tracking rules to the FORWARD chain in order to get the conntrack module
  to work correctly.

Please bear in mind that I am pretty new to this myself so what I have
said may be wrong. But hopefully it might help,

David


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux