Re: iptables and iproute

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Le lun 26/04/2004 à 10:08, Antonio Alvarez a écrit :
> > You can mangle them in OUTPUT chain...
> Uhm.... not sure. you can mangle the packet but when the packet go
> output the packet was routed :-(

Not quite, there's a second round for altered packets ;)
One routing process is called for packet building, in order to determine
to which interface it will get sent, and so source address given. If
packet is altered in OUTPUT chain, then it will get routed again so it
keeps consistant with routing table.

What I've just tested :

root@anduril:~# echo 200 test >> /etc/iproute2/rt_tables
root@anduril:~# ip rule add fwmark 2 table test
root@anduril:~# ip route add default via 192.168.1.123 dev eth1 \
			table test
root@anduril:~# ip route flush cache

Then for Netfilter :

root@anduril:~# iptables -t nat -A OUTPUT -d 192.168.11.0/24 \
			-j MARK --set-mark 2

My configuration is eth0 to usual network with default route, and eth1
to 192.168.1.1/24. If I ping 192.168.11.1, packets are rerouted to new
gateway, using correct interface :

root@anduril:~# tcpdump -i eth1
tcpdump: listening on eth1
10:50:21.917025 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
10:50:22.916930 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
10:50:23.916850 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
10:50:24.916769 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)

So things are OK, except for source address that is eth0's one. So, I
just have to add a SNAT rule to make things OK :

root@anduril:~# iptables -t nat -A POSTROUTING -o eth1 \
			-j SNAT --to 192.168.1.1

And then :

root@anduril:~# tcpdump -i eth1
tcpdump: listening on eth1
10:58:09.046686 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
10:58:10.045704 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
10:58:11.045624 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
10:58:12.045546 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)

So it should work with your setting as well.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux