[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Policy routing on local packets

# ip route show table mytable
200.62.1X7.36/30 dev eth0  proto kernel  scope link  src 200.62.1X7.38
200.62.1X2.192/28 dev eth0  proto kernel  scope link  src 200.62.1X2.195
192.168.100.0/24 dev eth2  proto kernel  scope link  src 192.168.100.1
192.168.99.0/24 dev eth1  proto kernel  scope link  src 192.168.99.1
default via 200.62.1X7.37 dev eth0  src 200.62.1X2.195


# ip rule show
0:      from all lookup 255
32765:  from all fwmark 0x19 lookup mytable
32766:  from all lookup main
32767:  from all lookup default


# ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 
    link/ether 00:19:d1:75:db:4c brd ff:ff:ff:ff:ff:ff
    inet 200.62.1X7.38/30 brd 200.62.1X7.39 scope global eth0
    inet 200.62.1X2.193/28 brd 200.62.1X2.207 scope global eth0:0
    inet 200.62.1X2.195/28 brd 200.62.1X2.207 scope global secondary eth0:1
    inet 200.62.1X2.200/28 brd 200.62.1X2.207 scope global secondary eth0:2
    inet 200.62.1X2.201/28 brd 200.62.1X2.207 scope global secondary eth0:3
    inet 200.62.1X2.202/28 brd 200.62.1X2.207 scope global secondary eth0:4
    inet 200.62.1X2.203/28 brd 200.62.1X2.207 scope global secondary eth0:5
    inet 200.62.1X2.205/28 brd 200.62.1X2.207 scope global secondary eth0:6
    inet6 fe80::219:d1ff:fe75:db4c/64 scope link
       valid_lft forever preferred_lft forever


# grep MYTABLE /var/log/messages | tail
Sep 23 13:38:22 proxy kernel: MYTABLEIN=eth0 OUT= MAC=00:19:d1:75:db:4c:00:50:73:93:59:76:08:00 SRC=71.96.163.131 DST=200.62.182.195 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=8292 PROTO=TCP SPT=58009 DPT=25 WINDOW=24000 RES=0x00 ACK URGP=0 Sep 23 13:38:45 proxy kernel: MYTABLEIN=eth0 OUT= MAC=00:19:d1:75:db:4c:00:50:73:93:59:76:08:00 SRC=72.71.207.202 DST=200.62.182.195 LEN=60 TOS=0x00 PREC=0x00 TTL=115 ID=245 DF PROTO=TCP SPT=2403 DPT=25 WINDOW=16384 RES=0x00 SYN URGP=0 Sep 23 13:38:45 proxy kernel: MYTABLEIN=eth0 OUT= MAC=00:19:d1:75:db:4c:00:50:73:93:59:76:08:00 SRC=72.71.207.202 DST=200.62.182.195 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=263 DF PROTO=TCP SPT=2403 DPT=25 WINDOW=17520 RES=0x00 ACK URGP=0 Sep 23 13:38:48 proxy kernel: MYTABLEIN=eth0 OUT= MAC=00:19:d1:75:db:4c:00:50:73:93:59:76:08:00 SRC=71.96.163.131 DST=200.62.182.195 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=13381 PROTO=TCP SPT=58009 DPT=25 WINDOW=24000 RES=0x00 ACK URGP=0 Sep 23 13:38:48 proxy kernel: MYTABLEIN=eth0 OUT= MAC=00:19:d1:75:db:4c:00:50:73:93:59:76:08:00 SRC=71.96.163.131 DST=200.62.182.195 LEN=87 TOS=0x00 PREC=0x00 TTL=115 ID=13382 PROTO=TCP SPT=58009 DPT=25 WINDOW=24000 RES=0x00 ACK PSH URGP=0 Sep 23 13:38:49 proxy kernel: MYTABLEIN=eth0 OUT= MAC=00:19:d1:75:db:4c:00:50:73:93:59:76:08:00 SRC=71.96.163.131 DST=200.62.182.195 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=13559 PROTO=TCP SPT=58009 DPT=25 WINDOW=24000 RES=0x00 ACK URGP=0 Sep 23 13:38:49 proxy kernel: MYTABLEIN=eth0 OUT= MAC=00:19:d1:75:db:4c:00:50:73:93:59:76:08:00 SRC=71.96.163.131 DST=200.62.182.195 LEN=129 TOS=0x00 PREC=0x00 TTL=115 ID=13560 PROTO=TCP SPT=58009 DPT=25 WINDOW=24000 RES=0x00 ACK PSH URGP=0 Sep 23 13:38:50 proxy kernel: MYTABLEIN=eth0 OUT= MAC=00:19:d1:75:db:4c:00:50:73:93:59:76:08:00 SRC=71.96.163.131 DST=200.62.182.195 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=13723 PROTO=TCP SPT=58009 DPT=25 WINDOW=24000 RES=0x00 ACK URGP=0 Sep 23 13:38:50 proxy kernel: MYTABLEIN=eth0 OUT= MAC=00:19:d1:75:db:4c:00:50:73:93:59:76:08:00 SRC=71.96.163.131 DST=200.62.182.195 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=13724 PROTO=TCP SPT=58009 DPT=25 WINDOW=24000 RES=0x00 ACK RST URGP=0 Sep 23 13:38:55 proxy kernel: MYTABLEIN=eth0 OUT= MAC=00:19:d1:75:db:4c:00:50:73:93:59:76:08:00 SRC=72.71.207.202 DST=200.62.182.195 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=469 DF PROTO=TCP SPT=2403 DPT=25 WINDOW=0 RES=0x00 ACK RST URGP=0 



Brian Schrock escribió:
I have had a similar setup working, and will be doing something very similar soon so I am interested. Can you output the result of "ip route show table mytable" ? Make sure the routes really are were you think they are. Also when I trouble shoot stuff like this I use the LOG target often...
iptables -t mangle -A PREROUTING -p tcp --dport 25 -j LOG --log-prefix 'MYTABLE: ' 

Use 'grep "MYTABLE: ' /var/log/syslog to watch packets go though.
Then I would do something very similar to the other places in the iptables chain/flow to see what the packets does as it goes through your box. 

Brian,
On Tue, Sep 23, 2008 at 1:30 PM, Jason Voorhees <jvoorhees1@gmail.com <mailto:jvoorhees1@gmail.com>> wrote: 

    Hi friends:

    I have a linux box with multiple ip addresses:

    eth0 -> IP1
    eth0:0 -> IP2
    eth0:1 -> IP3
    eth0:2 -> IP4

    All outgoing traffic is using IP1 as source address. But now I want
    to use a different IP address (IP1, IP2, IP3 or IP4) as the source
    address for all smtp outgoing packets locally generated in my linux box.

    I decided to mark such packets like this:

    iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK
    --set-mark 0x19

    Then I created a new table in /etc/iproute2/rt_tables adding this:

    252     mytable

    Now the rules and routes:

    ip rule add priority 32765 fwmark 0x19 table mytable
    ip route add to default dev eth0 via IP_GATEWAY src IP2 table mytable
    ip route flush cached

    When I do telnet to some smtp host I can see my linux box is still
    using IP1 instead of IP2. Then I check iptables statistics "iptables
    -t mangle  -L -nv" and the number of packets matched (marked) is
    increasing so... I think something is not working in my iproute rules.

    Does anybody know what am I doing wrong? Thanks
-- To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org 
    <mailto:debian-firewall-REQUEST@lists.debian.org>
    with a subject of "unsubscribe". Trouble? Contact
    listmaster@lists.debian.org <mailto:listmaster@lists.debian.org>
Reply to: