Re: fwmark / routing ...

To: Samuel Lucas Vaz de Mello <samuelm@tha.com.br>
Cc: "'debian-firewall@lists.debian.org'" <debian-firewall@lists.debian.org>
Subject: Re: fwmark / routing ...
From: Matias Lambert <matiaslambert@itcom.com.ar>
Date: Wed, 30 Oct 2002 12:05:19 -0300
Message-id: <[🔎] 3DBFF52F.8F96EF4B@itcom.com.ar>
References: <[🔎] 01C2802C.261E9510.samuelm@tha.com.br>

Hi Samuel,
you should add rules and tables to route with the propertly source.

take a look at the nano HOWTO
http://www.linuxvirtualserver.org/~julian/nano.txt
You can do it without firewall rules...

Here is an example, the rule 201 and 202 is only for route with the right source.

# rule with source address 200.203.186.130
ip rule add prio 201 from 200.203.186.128/26 table 201
ip route add default via 200.203.186.GATEWAY dev eth1 src 200.203.186.130 proto static table 201
ip route append prohibit default table 201 metric 1 proto static

# rule with source address 10.0.0.138
ip rule add prio 202 from 10.0.0.0/24 table 202
ip route add default via 10.0.0.138 dev eth2 src 10.0.0.140 proto static table 202
ip route append prohibit default table 202 metric 1 proto static

#if you want to do it without firewall

ip rule add prio 50 table main  #only for local routing, with 50 as preference
ip route del default table main #internet gateways will be added in the table 222, not in the main table
ip rule add prio 222 table 222  #rule with gateways
ip route add default table 222 proto static \ #route with gateways, you can put a metric for each gateway
   nexthop via 200.203.186.GATEWAY dev eth1 \
   nexthop via 10.0.0.138 dev eth2

regards,
Matias Lambert

Samuel Lucas Vaz de Mello wrote:

> Hi!
>
>         I have a linux box with 2 internet links (eth1 - 200.203.186.130 and eth2 - 10.0.0.140 [the adsl router will masq to a valid ip])
>
>         I'm trying to make it send some packages trought eth1 and others via eth2. I'm using fwmark and iproute2.
>
> (for testing, i'm trying to make it send all icmp trafic trought eth2 [10.0.0.140], and others packages via eth1)
>
> # iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark 5
> # ip rule add fwmark 5 table 5
> # ip route add default 10.0.0.138 table 5
>
> #  ip route show
> 200.203.186.128/26 dev eth1  proto kernel  scope link  src 200.203.186.130
> (...)
> 10.0.0.0/24 dev eth2  proto kernel  scope link  src 10.0.0.140
> (...)
> default via 200.203.186.129 dev eth1
>
> # ip route show table 5
> default via 10.0.0.138 dev eth2
>
> # ip rule show
> 0:      from all lookup local
> 32765:  from all fwmark        5 lookup 5
> 32766:  from all lookup main
> 32767:  from all lookup default
>
> # ip route flush cache
>
> # ping hara2.uol.com.br
> (no response)
>
> # tcpdump -i eth2 | grep icmp
> 15:31:32.228774 200.203.186.130 > hara2.uol.com.br: icmp: echo request (DF)
>
> It's seem that the package is going to the correct link, but with the wrong source...
>
> Somo idea about why?
>
> Thanks,
>
>  - Samuel
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- fwmark / routing ...
  - From: Samuel Lucas Vaz de Mello <samuelm@tha.com.br>

Prev by Date: Re: IPtables Question II: `Hostile' Flags
Previous by thread: Re: fwmark / routing ...
Next by thread: IPtables Question II: `Hostile' Flags
Index(es):
- Date
- Thread