RE: Change of ip addresses continues.... :(

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> I have been trying various set of rules in various table in order to have packets go over
> the right link. ie. packet's src add should match outgoing link's ip address.YET, there
> are some packets that always tend to go over the wrong link and thus causing ip address
> change. They mostly seem to be ICMP Destination Unreacheable messages or DNS queries.

please verify that the ICMP dest-unreach & DNS queries are not locally generated packets from the firewall machine itself.  everything you're doing thus far applies to packets being routed through the firewall; not from the firewall--that's a whole different story...

> I tried out the rules that Daniel Chemko so generously had provided me with...and they
> don't seem to work. I am probably not doing something right. I just tried thefollowing
> rules with no luck:
>
> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
> iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
> iptables -t mangle -A PREROUTING -m mark ! --mark 0 -p icmp -j MARK --set-mark 1
> iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j MARK --set-mark 2
> iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> ptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE
>
> Are these rules supposed to create 2 routing tables???? If they do, I don't seem them?
> This is what I see:
>
> [ ]# ip rule list
> 0:      from all lookup local
> 32766:  from all lookup main
> 32767:  from all lookup 253

no--iptables commands do not create extra routing tables--you have to do this yourself.  hopefully, you've been studying up on http://lartc.org/howto/index.html (specifically http://lartc.org/howto/lartc.netfilter.html)

something like:

  echo 500 icmp >> /etc/iproute2/rt_tables
  ip rule add fwmark 1 table icmp
  ip route add default via $ICMP_LINK dev $ICMP_LINK_IF table icmp

will make the packets marked with "--set-mark 1" (icmp packets in your example), get their default gateway from the alternate routing table named "icmp"

again--this applies to packets being routed through the gateway, not to packets coming from the gateway.

-j
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux