Newbie Q: Forcing p2p traffic via one interface on a dual homed system.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

My first post to this group and be warned I am a new linux user ;)

My setup:

-----ISP1---ppp0----Router-----MainPC
-----ISP2---ppp1-------|

Router ip: 192.168.0.1
MainPC ip: 192.168.0.10
ppp0: 165.165.89.171
ppp1: 165.146.132.124

What I want to achieve is that all p2p traffic passes through ppp1
while everthing else goes through ppp0.

My approach to date: Use http://www.ipp2p.org to mark all p2p packets
and then attempt to use this mark to get these packets to leave via
ppp1.

The following are various command outputs that will serve to
illustrate my setup:

_____________________
server1:~# iptables-save
# Generated by iptables-save v1.2.11 on Sun Nov 28 22:17:39 2004
*mangle
:PREROUTING ACCEPT [64427:8068188]
:INPUT ACCEPT [46992:3648957]
:FORWARD ACCEPT [17435:4419231]
:OUTPUT ACCEPT [60089:8019620]
:POSTROUTING ACCEPT [77524:12438851]
-A PREROUTING -s 192.168.0.10 -i eth0 -p tcp -m ipp2p --ipp2p -j MARK
--set-mark 0x9
-A PREROUTING -s 192.168.0.10 -i eth0 -p tcp -m ipp2p --ipp2p -j RETURN
COMMIT
# Completed on Sun Nov 28 22:17:39 2004
# Generated by iptables-save v1.2.11 on Sun Nov 28 22:17:39 2004
*filter
:INPUT ACCEPT [46992:3648957]
:FORWARD ACCEPT [17404:4417743]
:OUTPUT ACCEPT [60089:8019620]
-A INPUT -d 127.0.0.0/255.0.0.0 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.0.0/255.255.255.0 -i ppp+ -j REJECT --reject-with
icmp-port-unreachable
COMMIT
# Completed on Sun Nov 28 22:17:39 2004
# Generated by iptables-save v1.2.11 on Sun Nov 28 22:17:39 2004
*nat
:PREROUTING ACCEPT [12719:748368]
:POSTROUTING ACCEPT [17:820]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o ppp+ -p tcp -m mark --mark 0x9 -j SNAT --to-source
165.146.132.124
-A POSTROUTING -o ppp+ -p tcp -m mark --mark 0x9 -j RETURN
-A POSTROUTING -o ppp+ -j MASQUERADE
COMMIT
# Completed on Sun Nov 28 22:17:39 2004
server1:~#

______________________

server1:~# ip route show
165.165.88.1 dev ppp0  scope link  src 165.165.89.171
165.146.128.1 dev ppp1  scope link  src 165.146.132.124
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.1
default via 165.165.88.1 dev ppp0
server1:~#

______________________
server1:~# ip route show table T1
165.165.88.1 dev ppp0  scope link  src 165.165.89.171
165.146.128.1 dev ppp1  scope link
192.168.0.0/24 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 165.165.88.1 dev ppp0
server1:~#
______________________
server1:~# ip route show table T2
165.165.88.1 dev ppp0  scope link
165.146.128.1 dev ppp1  scope link  src 165.146.132.124
192.168.0.0/24 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 165.146.128.1 dev ppp1
server1:~#
______________________
server1:~# ip route show table uncapped-packets
default via 165.146.128.1 dev ppp1
server1:~#
______________________
server1:~# ip rule list
0:      from all lookup local
32763:  from all fwmark 0x9 lookup uncapped-packets
32764:  from 165.146.132.124 lookup T2
32765:  from 165.165.89.171 lookup T1
32766:  from all lookup main
32767:  from all lookup default
server1:~#
______________________

server1:~# iptables -nvxL -t mangle
Chain PREROUTING (policy ACCEPT 66921 packets, 8298186 bytes)
    pkts      bytes target     prot opt in     out     source         
     destination
      26     3484 MARK       tcp  --  eth0   *       192.168.0.10     
   0.0.0.0/0           ipp2p v0.6 --ipp2p MARK set 0x9
      26     3484 RETURN     tcp  --  eth0   *       192.168.0.10     
   0.0.0.0/0           ipp2p v0.6 --ipp2p

Chain INPUT (policy ACCEPT 48501 packets, 3776823 bytes)
    pkts      bytes target     prot opt in     out     source         
     destination

Chain FORWARD (policy ACCEPT 18420 packets, 4521363 bytes)
    pkts      bytes target     prot opt in     out     source         
     destination

Chain OUTPUT (policy ACCEPT 62452 packets, 8269734 bytes)
    pkts      bytes target     prot opt in     out     source         
     destination

Chain POSTROUTING (policy ACCEPT 80872 packets, 12791097 bytes)
    pkts      bytes target     prot opt in     out     source         
     destination

______________________
server1:~# iptables -nvxL -t nat
Chain PREROUTING (policy ACCEPT 12790 packets, 752139 bytes)
    pkts      bytes target     prot opt in     out     source         
     destination

Chain POSTROUTING (policy ACCEPT 17 packets, 820 bytes)
    pkts      bytes target     prot opt in     out     source         
     destination
       0        0 SNAT       tcp  --  *      ppp+    0.0.0.0/0        
   0.0.0.0/0           MARK match 0x9 to:165.146.132.124
       0        0 RETURN     tcp  --  *      ppp+    0.0.0.0/0        
   0.0.0.0/0           MARK match 0x9
      15      742 MASQUERADE  all  --  *      ppp+    0.0.0.0/0       
    0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source         
     destination
______________________


Wow ... lots of text :)

As you can see the p2p marking rule in PREROUTING in the mangle table
is getting a healthy 26 hits. However the corresponding SNAT rule in
POSTROUTING in the nat table isnt getting any hits at all.

Basically I'm trying to use the SNAT option to force the origen of the
p2p packets that leave ppp1 to 165.146.132.124 (so that replies to
these packets will return via ppp1).

However this isnt happening. When i do a tcpdump on **ppp1**, while
running a typical p2p app on 192.168.0.10, I see stuff like:

_________________________________
tcpdump: listening on ppp1
22:26:34.153756 165.165.89.171.4056 > 165.165.91.116.10928: P
537928851:537928945(94) ack 11937669 win 17280 (DF)
22:26:37.344977 165.165.89.171.4058 > 165.165.40.174.telnet: P
1747084171:1747084265(94) ack 1890859306 win 17424 (DF)
22:26:38.301762 165.165.89.171.4059 > 165.146.193.231.1412: P
943672931:943673025(94) ack 3291345941 win 17424 (DF)
22:26:40.273324 165.165.89.171.4058 > 165.165.40.174.telnet: P
0:94(94) ack 1 win 17424 (DF)
22:26:40.762411 165.165.89.171.4061 > 165.165.89.216.7881: P
2894668549:2894668643(94) ack 1789638145 win 17280 (DF)
22:26:41.066069 165.165.89.171.4060 > 165.165.81.109.35: P
3752551725:3752551819(94) ack 3830356900 win 17280 (DF)
22:26:41.081728 165.165.89.171.4062 > 165.165.48.176.35791: P
2763489211:2763489305(94) ack 3560648028 win 17280 (DF)
22:26:41.276546 165.165.89.171.4059 > 165.146.193.231.1412: P 0:94(94)
ack 1 win 17424 (DF)
_______________________________-

It seems to me that the packets leaving ppp1 are still showing the
165.165.89.171 origen address of ppp0 rather than the origin address
of ppp1 (i.e. 165.146.132.124).

To test that the initial marking is working, I have disabled:
-A PREROUTING -s 192.168.0.10 -i eth0 -p tcp -m ipp2p --ipp2p -j MARK
--set-mark 0x9
-A PREROUTING -s 192.168.0.10 -i eth0 -p tcp -m ipp2p --ipp2p -j RETURN

In which case I see no traffic on ppp1 at all.

So it seems as if the initial marking and diversion of packets to ppp1 works.

It's just that trying to force the origin of the packets leaving ppp1
to ppp1's IP via SNAT isnt working.

Advice please???

Thanks,
H
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux