Re: iptables -j ROUTE

To: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Cc: debian-firewall@lists.debian.org
Subject: Re: iptables -j ROUTE
From: Покотиленко Костик <casper@meteor.dp.ua>
Date: Thu, 10 Aug 2006 10:50:41 +0300
Message-id: <[🔎] 1155196241.4429.13.camel@localhost.localdomain>
Reply-to: casper@meteor.dp.ua
In-reply-to: <[🔎] 44D8E01D.4020609@plouf.fr.eu.org>
References: <[🔎] 1155055748.4100.23.camel@localhost.localdomain> <[🔎] 44D8E01D.4020609@plouf.fr.eu.org>

В Вто, 08/08/2006 в 21:03 +0200, Pascal Hambourg пишет:
> Hello,
> 
> Pokotilenko Kostik a écrit :
> > 
> > I'm trying to settle routing with iptables. I have a router with 2 Inet
> > connections, and I need routing decision upon source IP.
> > 
> > # iptables -A PREROUTING -t mangle -s 10.0.0.0/8 -j ROUTE --oif eth0
> > iptables: No chain/target/match by that name
> > #
> > 
> > So, what's wrong?
> > 
> > # uname -a
> > Linux casper 2.6.8-2-686 #1 Thu May 19 17:53:30 JST 2005 i686 GNU/Linux
> 
> ROUTE is not a standard target included in the mainstream kernel. It is 
> an extension from the patch-o-matic-ng. Is your kernel compiled with the 
> ROUTE patch from the patch-o-matic-ng ?
> 
> > It's Debian Sarge.
> 
> So I guess iptables version is 1.2.11 which includes support for the 
> ROUTE target (but not for the --tee option).

My "man iptables" says:
===================================
TARGET EXTENSIONS
       iptables can use extended target modules: the following are
included in
       the standard distribution.

   BALANCE
       This allows you to DNAT connections in a round-robin way over  a
given
.............
   ROUTE
       This  is  used  to explicitly override the core network stack's
routing
       decision.  mangle table.

       --oif ifname
              Route the packet through `ifname' network interface

       --iif ifname
              Change the packet's incoming interface to `ifname'

       --gw IP_address
              Route the packet via this gateway

       --continue
              Behave like a non-terminating target and continue
traversing the
              rules.  Not valid in combination with `--iif'
.........
===================================

Also,

# ls -la /lib/iptables/libipt_ROUTE.so
-rw-r--r--  1 root root 4528 2004-12-02
02:38 /lib/iptables/libipt_ROUTE.so

> However, I wonder why you want to use iptables' ROUTE instead of classic 
> advanced routing (ip rule + alternate routing table) :

It seemed simplier for me as I already have/use many iptables rules. So
I thought it's better to keep things the one place.

But after discovering that this is not as simple to start as it seemed
to be I started to look in direction of "ip".

BTW, how can I check whether my kernel supports this feature?

# ls /lib/modules/2.6.8-2-686/kernel/net/ipv4/netfilter | grep -i route
#

gives no result.

-- 
Покотиленко Костик <casper@meteor.dp.ua>

Reply to:

Follow-Ups:
- Re: iptables -j ROUTE
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

References:
- iptables -j ROUTE
  - From: Покотиленко Костик <casper@meteor.dp.ua>
- Re: iptables -j ROUTE
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

Prev by Date: Re: iptables -j ROUTE
Next by Date: Re: iptables -j ROUTE
Previous by thread: Re: iptables -j ROUTE
Next by thread: Re: iptables -j ROUTE
Index(es):
- Date
- Thread