Re: iptables udp 1195 MASQUERADE

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2012-01-24 at 17:34 -0600, Enrique Huerta de la Fuente wrote:
> Hello
> 
> I have OpenVPN (lan to lan)
> 
> On site 1 (4 links)
> - eth0 (LAN)
> - eth1 (internet link)
> - eth3 (enalce internet)
> - ppp0 (internet link)
> - Deafult gateway eth1
> 
> On site 2 (3 links)
> - eth0 (LAN)
> - eth1 (internet link)
> - ppp0 (internet link)
> - Deafult gateway ppp0
> 
> The eth3 interface (site 1) and the eth1 interface (site 2) are the same supplier, the same mask.
> 
> The VPN works with eth3 (site 1) <---> eth1 (site 2) and it works great. We must not over because they are the same provider and does not require the gateway.
> 
> But if it fails any of the VPN link (eth3 o eth1), we need to change links of VPN to ppp0 (site 1) <-----> ppp0 (site 2).
> 
> Here's the problem!
> 
> At site 1, the UPD packets should go out by ppp0 (the default gateway is eth1). To do this:
> 
> # Iptables-t nat-I POSTROUTING-p udp-m udp - dport 1195-o ppp0-j MASQUERADE
> # Iptables-t mangle-I OUTPUT-p udp-m udp - dport 1195-j MARK - set-mark 1

Are you sure you've got this rule correct? Have you tried doing a LOG
target to check that it is matching the packets that you would expect?

> 
> So are the paths:
> 
> # Ip rule ls
> 0: from all lookup 255
> 32757: from all fwmark 0x1 lookup infinitum
> 32758: from 189.143.36.36 lookup infinitum
> 32759: from 38.124.170.15 lookup bbs
> 32766: from all lookup main
> 
> # Ip route ls table infinitum
> default via 189.143.36.36 dev ppp0
> 
> 
> The problem is that no packets arrive from site 1 to the site 2. The UDP packets arrive to site 1 from site 2
> 
> I tested with port 22 (ssh) and it works.
> 
> # Iptables-t nat-I POSTROUTING-m tcp-p tcp - dport 22-o ppp0-j MASQUERADE
> # Iptables-t mangle-I OUTPUT-m tcp-p tcp - dport 22-j MARK - set-mark 1
> 
> 
> Any idea why that no UDP packets  arrive to site 2?
> 
> regards
> 
> E.Huerta
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux