The nat mechanism works for initiated connections. The p2p packets are detected later in connections, so they wont even hit nat POSTROUTING. Also, to match the entire traffic, you need connmark. On Sun, 28 Nov 2004 22:38:07 +0200, hArTh0 hArTh0 <harth0@xxxxxxxxx> wrote: > Hi all, > > My first post to this group and be warned I am a new linux user ;) > > My setup: > > -----ISP1---ppp0----Router-----MainPC > -----ISP2---ppp1-------| > > Router ip: 192.168.0.1 > MainPC ip: 192.168.0.10 > ppp0: 165.165.89.171 > ppp1: 165.146.132.124 > > What I want to achieve is that all p2p traffic passes through ppp1 > while everthing else goes through ppp0. > > My approach to date: Use http://www.ipp2p.org to mark all p2p packets > and then attempt to use this mark to get these packets to leave via > ppp1. > > The following are various command outputs that will serve to > illustrate my setup: > > _____________________ > server1:~# iptables-save > # Generated by iptables-save v1.2.11 on Sun Nov 28 22:17:39 2004 > *mangle > :PREROUTING ACCEPT [64427:8068188] > :INPUT ACCEPT [46992:3648957] > :FORWARD ACCEPT [17435:4419231] > :OUTPUT ACCEPT [60089:8019620] > :POSTROUTING ACCEPT [77524:12438851] > -A PREROUTING -s 192.168.0.10 -i eth0 -p tcp -m ipp2p --ipp2p -j MARK > --set-mark 0x9 > -A PREROUTING -s 192.168.0.10 -i eth0 -p tcp -m ipp2p --ipp2p -j RETURN > COMMIT > # Completed on Sun Nov 28 22:17:39 2004 > # Generated by iptables-save v1.2.11 on Sun Nov 28 22:17:39 2004 > *filter > :INPUT ACCEPT [46992:3648957] > :FORWARD ACCEPT [17404:4417743] > :OUTPUT ACCEPT [60089:8019620] > -A INPUT -d 127.0.0.0/255.0.0.0 -j REJECT --reject-with icmp-port-unreachable > -A INPUT -s 192.168.0.0/255.255.255.0 -i ppp+ -j REJECT --reject-with > icmp-port-unreachable > COMMIT > # Completed on Sun Nov 28 22:17:39 2004 > # Generated by iptables-save v1.2.11 on Sun Nov 28 22:17:39 2004 > *nat > :PREROUTING ACCEPT [12719:748368] > :POSTROUTING ACCEPT [17:820] > :OUTPUT ACCEPT [0:0] > -A POSTROUTING -o ppp+ -p tcp -m mark --mark 0x9 -j SNAT --to-source > 165.146.132.124 > -A POSTROUTING -o ppp+ -p tcp -m mark --mark 0x9 -j RETURN > -A POSTROUTING -o ppp+ -j MASQUERADE > COMMIT > # Completed on Sun Nov 28 22:17:39 2004 > server1:~# > > ______________________ > > server1:~# ip route show > 165.165.88.1 dev ppp0 scope link src 165.165.89.171 > 165.146.128.1 dev ppp1 scope link src 165.146.132.124 > 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1 > default via 165.165.88.1 dev ppp0 > server1:~# > > ______________________ > server1:~# ip route show table T1 > 165.165.88.1 dev ppp0 scope link src 165.165.89.171 > 165.146.128.1 dev ppp1 scope link > 192.168.0.0/24 dev eth0 scope link > 127.0.0.0/8 dev lo scope link > default via 165.165.88.1 dev ppp0 > server1:~# > ______________________ > server1:~# ip route show table T2 > 165.165.88.1 dev ppp0 scope link > 165.146.128.1 dev ppp1 scope link src 165.146.132.124 > 192.168.0.0/24 dev eth0 scope link > 127.0.0.0/8 dev lo scope link > default via 165.146.128.1 dev ppp1 > server1:~# > ______________________ > server1:~# ip route show table uncapped-packets > default via 165.146.128.1 dev ppp1 > server1:~# > ______________________ > server1:~# ip rule list > 0: from all lookup local > 32763: from all fwmark 0x9 lookup uncapped-packets > 32764: from 165.146.132.124 lookup T2 > 32765: from 165.165.89.171 lookup T1 > 32766: from all lookup main > 32767: from all lookup default > server1:~# > ______________________ > > server1:~# iptables -nvxL -t mangle > Chain PREROUTING (policy ACCEPT 66921 packets, 8298186 bytes) > pkts bytes target prot opt in out source > destination > 26 3484 MARK tcp -- eth0 * 192.168.0.10 > 0.0.0.0/0 ipp2p v0.6 --ipp2p MARK set 0x9 > 26 3484 RETURN tcp -- eth0 * 192.168.0.10 > 0.0.0.0/0 ipp2p v0.6 --ipp2p > > Chain INPUT (policy ACCEPT 48501 packets, 3776823 bytes) > pkts bytes target prot opt in out source > destination > > Chain FORWARD (policy ACCEPT 18420 packets, 4521363 bytes) > pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 62452 packets, 8269734 bytes) > pkts bytes target prot opt in out source > destination > > Chain POSTROUTING (policy ACCEPT 80872 packets, 12791097 bytes) > pkts bytes target prot opt in out source > destination > > ______________________ > server1:~# iptables -nvxL -t nat > Chain PREROUTING (policy ACCEPT 12790 packets, 752139 bytes) > pkts bytes target prot opt in out source > destination > > Chain POSTROUTING (policy ACCEPT 17 packets, 820 bytes) > pkts bytes target prot opt in out source > destination > 0 0 SNAT tcp -- * ppp+ 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x9 to:165.146.132.124 > 0 0 RETURN tcp -- * ppp+ 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x9 > 15 742 MASQUERADE all -- * ppp+ 0.0.0.0/0 > 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > ______________________ > > Wow ... lots of text :) > > As you can see the p2p marking rule in PREROUTING in the mangle table > is getting a healthy 26 hits. However the corresponding SNAT rule in > POSTROUTING in the nat table isnt getting any hits at all. > > Basically I'm trying to use the SNAT option to force the origen of the > p2p packets that leave ppp1 to 165.146.132.124 (so that replies to > these packets will return via ppp1). > > However this isnt happening. When i do a tcpdump on **ppp1**, while > running a typical p2p app on 192.168.0.10, I see stuff like: > > _________________________________ > tcpdump: listening on ppp1 > 22:26:34.153756 165.165.89.171.4056 > 165.165.91.116.10928: P > 537928851:537928945(94) ack 11937669 win 17280 (DF) > 22:26:37.344977 165.165.89.171.4058 > 165.165.40.174.telnet: P > 1747084171:1747084265(94) ack 1890859306 win 17424 (DF) > 22:26:38.301762 165.165.89.171.4059 > 165.146.193.231.1412: P > 943672931:943673025(94) ack 3291345941 win 17424 (DF) > 22:26:40.273324 165.165.89.171.4058 > 165.165.40.174.telnet: P > 0:94(94) ack 1 win 17424 (DF) > 22:26:40.762411 165.165.89.171.4061 > 165.165.89.216.7881: P > 2894668549:2894668643(94) ack 1789638145 win 17280 (DF) > 22:26:41.066069 165.165.89.171.4060 > 165.165.81.109.35: P > 3752551725:3752551819(94) ack 3830356900 win 17280 (DF) > 22:26:41.081728 165.165.89.171.4062 > 165.165.48.176.35791: P > 2763489211:2763489305(94) ack 3560648028 win 17280 (DF) > 22:26:41.276546 165.165.89.171.4059 > 165.146.193.231.1412: P 0:94(94) > ack 1 win 17424 (DF) > _______________________________- > > It seems to me that the packets leaving ppp1 are still showing the > 165.165.89.171 origen address of ppp0 rather than the origin address > of ppp1 (i.e. 165.146.132.124). > > To test that the initial marking is working, I have disabled: > -A PREROUTING -s 192.168.0.10 -i eth0 -p tcp -m ipp2p --ipp2p -j MARK > --set-mark 0x9 > -A PREROUTING -s 192.168.0.10 -i eth0 -p tcp -m ipp2p --ipp2p -j RETURN > > In which case I see no traffic on ppp1 at all. > > So it seems as if the initial marking and diversion of packets to ppp1 works. > > It's just that trying to force the origin of the packets leaving ppp1 > to ppp1's IP via SNAT isnt working. > > Advice please??? > > Thanks, > H > > -- Bla bla
