RE: iptables source net and layer7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello!

Thanks for your answer. I tried this but do not work.
I used tcpdump to verify the packets and saw the problem.

I have 2 internet connections ppp0 and ppp1.
ppp0 is the default route, ppp1 the default route of table 10

ip route ls
217.5.xx.xx dev ppp1  proto kernel  scope link  src 217.94.xx.xx
194.231.xx.xx dev ppp0  proto kernel  scope link  src 194.231.xx.xx
192.168.178.0/24 dev eth2  scope link
192.168.0.0/24 dev eth0  scope link
192.168.11.0/24 dev eth3  scope link
192.168.10.0/24 dev eth1  scope link
169.254.0.0/16 dev eth3  scope link
127.0.0.0/8 dev lo  scope link
default dev ppp0  scope link

ip route ls table 10
default dev ppp1  scope link


the rules are:

ip rule ls
0:      from all lookup local
32765:  from all fwmark 0x3 lookup 10
32766:  from all lookup main
32767:  from all lookup default

All packets marked with 3 should pass table 10 and route over ppp1, all
others the default route ppp1.

I setup the mark of ssh:
iptables -t mangle -A PREROUTING -s 192.168.0.0/24 -m layer7 --l7proto ssh
-j MARK --set-mark 3

i tried also:
iptables -t mangle -D PREROUTING -m layer7 --l7proto ssh -j MARK --set-mark
1
iptables -t mangle -D PREROUTING -s 192.168.0.0/24 -m mark --mark 1 -j MARK
--set-mark 3

After this I can not use ssh anymore. Tested this with tcpdump.

The ssh packets which was send to the ssh host had the source address of
ppp0 but was send over ppp1.
There seems to be a problem with source address and layer7.


ppp0 = 194.231.xx.xx
ppp1 = 217.5.xx.xx

tcpdump -i ppp1

16:56:36.648537 194.231.xx.xx.3700 > 82.96.xx.xx.ssh: P
526288655:526289143(488) ack 2398434338 win 64966 (DF)
16:56:36.648624 194.231.xx.xx.3700 > 82.96.xx.xx.ssh: P 488:504(16) ack 1
win 64966 (DF)
16:56:36.859452 194.231.xx.xx.3700 > 82.96.xx.xx.ssh: . ack 1 win 64966 (DF)


You can see, the packets were send with ppp1, but have the source address of
ppp0.


Any suggestions?

- 
Marco
 
> -----Original Message-----
> From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-
> bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of George Alexandru Dragoi
> Sent: Sunday, October 24, 2004 11:24 AM
> To: netfilter@xxxxxxxxxxxxxxxxxxx
> Subject: Re: iptables source net and layer7
> 
> First mark without the source, then use mark match, like this
> 
> iptables -t mangle -A PREROUTING -m layer7 --l7proto http -j MARK --set-
> mark 1
> iptables -t mangle  -A PREROUTING -s 192.168.0.0/24 -m mark --mark 1
> -j MARK --set-mark 2
> 
> On Sat, 23 Oct 2004 14:16:38 +0200, Marco Balle <mb@xxxxxxxxxxxxxxxx>
> wrote:
> > Hello!
> >
> > I want to mark all outgoing traffic depending on its service.
> > Example:
> >
> > eth0 = 192.168.0.1 (local interface)
> > ppp0 = 80.10.10.10 (internet 1)
> > ppp1 = 80.10.10.11 (internet 2)
> >
> > http traffic over internet 1 (ppp0) ssh traffic to interface 2 (ppp1).
> >
> > I tried the following (routing and rules are set):
> > iptables -A PREROUTING -t mangle -s 192.168.0.0/24 -p tcp --dport 80 -j
> MARK
> > --set-mark 1
> > iptables -A PREROUTING -t mangle -s 192.168.0.0/24 -p tcp --dport 22 -j
> MARK
> > --set-mark 2
> >
> > This works fine, but only for standard ports. Now I would like to use
> > layer7:
> >
> > iptables -t mangle -A PREROUTING -s 192.168.0.0/24 -m layer7 --l7proto
> http
> > -j MARK --set-mark 1
> > iptables -t mangle -A PREROUTING -s 192.168.0.0/24 -m layer7 --l7proto
> ftp
> > -j MARK --set-mark 2
> >
> > Do not work. An iptables -t mange -L -n -v does not show traffic on the
> MARK
> > rules.
> >
> > But if I do this without the source rule:
> >
> > iptables -t mangle -A PREROUTING -m layer7 --l7proto http -j MARK --set-
> mark
> > 1
> >
> > The traffic is marked. Sure, I can not open a website because the
> incoming
> > traffic is also marked and will go out to ppp0, but the layer7 works.
> >
> > Now my question:
> >
> > If I would like to use layer7, is there a way to use a source rule too?
> > Is there an other way to mark with layer7 only the http traffic with
> source
> > net 192.168.0.0/24?
> >
> > Kernel 2.4.27 patched with kernel-2.4-layer7-0.9.1.patch
> > iptables 1.2.11 patched with iptables-layer7-0.9.1.patch
> >
> > Thanks,
> >
> > Marco
> >
> >
> 
> 
> --
> Bla bla



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux