Re: iptables and iproute

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

El lun, 26-04-2004 a las 09:59, Cedric Blancher escribió:
> Le lun 26/04/2004 à 10:08, Antonio Alvarez a écrit :
> > > You can mangle them in OUTPUT chain...
> > Uhm.... not sure. you can mangle the packet but when the packet go
> > output the packet was routed :-(
> 
> Not quite, there's a second round for altered packets ;)
> One routing process is called for packet building, in order to determine
> to which interface it will get sent, and so source address given. If
> packet is altered in OUTPUT chain, then it will get routed again so it
> keeps consistant with routing table.
> 
It's work perfectly 
tested too... :-)
> What I've just tested :
> 
> root@anduril:~# echo 200 test >> /etc/iproute2/rt_tables
> root@anduril:~# ip rule add fwmark 2 table test
> root@anduril:~# ip route add default via 192.168.1.123 dev eth1 \
> 			table test
> root@anduril:~# ip route flush cache
> 
> Then for Netfilter :
> 
> root@anduril:~# iptables -t nat -A OUTPUT -d 192.168.11.0/24 \
> 			-j MARK --set-mark 2
> 
> My configuration is eth0 to usual network with default route, and eth1
> to 192.168.1.1/24. If I ping 192.168.11.1, packets are rerouted to new
> gateway, using correct interface :

> 
> root@anduril:~# tcpdump -i eth1
> tcpdump: listening on eth1
> 10:50:21.917025 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
> 10:50:22.916930 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
> 10:50:23.916850 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
> 10:50:24.916769 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
> 
> So things are OK, except for source address that is eth0's one. So, I
> just have to add a SNAT rule to make things OK :
> 
> root@anduril:~# iptables -t nat -A POSTROUTING -o eth1 \
> 			-j SNAT --to 192.168.1.1
> 
To solve this problem you can use 
ip route add default via dev eth1 src 192.168.1.1 table test
> And then :
> 
> root@anduril:~# tcpdump -i eth1
> tcpdump: listening on eth1
> 10:58:09.046686 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
> 10:58:10.045704 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
> 10:58:11.045624 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
> 10:58:12.045546 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
> 
> So it should work with your setting as well.
> 
Thanks again
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux