On Tue, Dec 22, 2009 at 9:56 PM, wes <p...@the-wes.com> wrote: > On Tue, Dec 22, 2009 at 12:50 PM, Michael Robinson < > plu...@robinson-west.com > > wrote: > > > > what DOES happen when the destination is 192.168.1.0/24? Can you > provide > > a > > > traceroute? > > > > > > I don't know what "table 3" means, but I'm pretty sure that if it > doesn't > > > show up in "ip route list" it's not going to be effective. > > > > > > >From the ip(8) man page: > > > > > > ... > > > Route tables: Linux-2.x can pack routes into several routing tables > > > identified by a number in the range from 1 to 255 or by name from the > > > file /etc/iproute2/rt_tables main table (ID 254) and the kernel only > > > uses this table when calculating routes. > > > ... > > > > > > On my system, ip route list gives the same output as ip route list > table > > > 254. I would expect the same result on your system. > > > > > > -wes > > > > Dodo is a Fedora Core 1 network root system: > > Linux dodo.w2.robinson-west.pri 2.4.22-1.2115.nptlcustom2 #1 Sun Jun 29 > > 20:59:36 PDT 2008 i686 i686 i386 GNU/Linux > > > > [r...@dodo firewall]# ping -c3 192.168.1.1 > > connect: Network is unreachable > > [r...@dodo firewall]# > > > > [r...@dodo firewall]# ip rule show > > 0: from all lookup local > > 32764: from all fwmark 0x3 lookup 3 > > 32765: from all fwmark 0x2 lookup 2 > > 32766: from all lookup main > > 32767: from all lookup 253 > > [r...@dodo firewall]# > > > > [r...@dodo firewall]# ip route show table local > > local 192.168.3.1 dev eth0 proto kernel scope host src 192.168.3.1 > > local 192.168.3.17 dev eth0 proto kernel scope host src 192.168.3.17 > > broadcast 192.168.3.0 dev eth0 proto kernel scope link src > > 192.168.3.1 > > broadcast 192.168.3.16 dev eth0 proto kernel scope link src > > 192.168.3.17 > > broadcast 192.168.0.255 dev eth1 proto kernel scope link src > > 192.168.0.2 > > broadcast 127.255.255.255 dev lo proto kernel scope link src > > 127.0.0.1 > > local 192.168.5.2 dev eth1 proto kernel scope host src 192.168.5.2 > > local 192.168.5.3 dev eth1 proto kernel scope host src 192.168.5.2 > > local 192.168.5.4 dev eth1 proto kernel scope host src 192.168.5.2 > > broadcast 192.168.4.15 dev eth2 proto kernel scope link src > > 192.168.4.1 > > broadcast 192.168.4.0 dev eth2 proto kernel scope link src > > 192.168.4.1 > > broadcast 192.168.0.0 dev eth1 proto kernel scope link src > > 192.168.0.2 > > local 192.168.4.1 dev eth2 proto kernel scope host src 192.168.4.1 > > local 192.168.0.2 dev eth1 proto kernel scope host src 192.168.0.2 > > broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 > > broadcast 192.168.3.15 dev eth0 proto kernel scope link src > > 192.168.3.1 > > broadcast 192.168.3.31 dev eth0 proto kernel scope link src > > 192.168.3.17 > > local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 > > broadcast 192.168.5.15 dev eth1 proto kernel scope link src > > 192.168.5.2 > > local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 > > [r...@dodo firewall]# > > > > [r...@dodo firewall]# ip route show table 3 > > 192.168.1.0/24 via 192.168.3.2 dev eth0 > > [r...@dodo firewall]# > > > > [r...@dodo firewall]# ip route show table 2 > > 192.168.1.0/24 via 192.168.3.18 dev eth0 > > [r...@dodo firewall]# > > > > [r...@dodo firewall]# ip route show table main > > 192.168.4.16/28 via 192.168.4.2 dev eth2 > > 192.168.4.0/28 dev eth2 scope link > > 192.168.5.0/28 dev eth1 proto kernel scope link src 192.168.5.2 > > 192.168.3.0/28 dev eth0 proto kernel scope link src 192.168.3.1 > > 192.168.4.48/28 via 192.168.4.2 dev eth2 > > 192.168.3.16/28 dev eth0 scope link > > 192.168.4.32/28 via 192.168.4.2 dev eth2 > > 192.168.0.0/24 dev eth1 scope link > > 127.0.0.0/8 dev lo scope link > > [r...@dodo firewall]# > > > > [r...@dodo firewall]# ip route show table 253 > > [r...@dodo firewall]# > > > > [r...@dodo firewall]# iptables -nvL -t mangle > > Chain PREROUTING (policy ACCEPT 576K packets, 127M bytes) > > pkts bytes target prot opt in out source > > destination > > 879 66553 MARK all -- * * 0.0.0.0/0 > > 0.0.0.0/0 MAC 00:02:E3:02:C8:8F MARK set 0x3 > > 144 10713 MARK all -- * * 0.0.0.0/0 > > 0.0.0.0/0 MAC 00:40:F4:2D:AF:5C MARK set 0x2 > > 95 29259 MARK all -- * * 0.0.0.0/0 > > 0.0.0.0/0 MARK set 0x3 > > > > Chain INPUT (policy ACCEPT 576K packets, 127M bytes) > > pkts bytes target prot opt in out source > > destination > > > > Chain FORWARD (policy ACCEPT 178 packets, 52674 bytes) > > pkts bytes target prot opt in out source > > destination > > > > Chain OUTPUT (policy ACCEPT 552K packets, 151M bytes) > > pkts bytes target prot opt in out source > > destination > > > > Chain POSTROUTING (policy ACCEPT 552K packets, 151M bytes) > > pkts bytes target prot opt in out source > > destination > > [r...@dodo firewall]# > > > > If I understand things correctly, when fwmark 0x3 is seen > > routing table 3 should be used and when fwmark 0x2 is seen > > routing table 2 should be used. > > > > If I do: > > > > ip rule add table 2 > > or > > ip rule add table 3 > > > > then this table will get used and ping works. > > > > I can't hard wire the route, sometimes packets will come from > > web and sometimes they will come from xerxes. Which > > is why I have mac_route added to the firewall: > > > > [r...@dodo firewall]# cat mac_route > > iptables -t mangle -A PREROUTING -m mac --mac-source 00:02:E3:02:C8:8F \ > > -j MARK --set-mark 3 > > > > iptables -t mangle -A PREROUTING -m mac --mac-source 00:40:F4:2D:AF:5C \ > > -j MARK --set-mark 2 > > [r...@dodo firewall]# > > > > The following is route_web.bash: > > > > #!/bin/bash > > # > > PATH=/sbin:/usr/bin > > > > # Get line count PREROUTING -t mangle... > > line_count=`iptables -nvL PREROUTING -t mangle|wc -l|tr -d ' '` > > let line_count-=2 > > > > if [ "$line_count" == "2" ] > > then > > iptables -t mangle -I PREROUTING 3 -j MARK --set-mark 2 > > else > > iptables -t mangle -R PREROUTING 3 -j MARK --set-mark 2 > > fi > > > > The following is route_xerxes.bash: > > > > #!/bin/bash > > # > > PATH=/sbin:/usr/bin > > > > # Get line count PREROUTING -t mangle... > > line_count=`iptables -nvL PREROUTING -t mangle|wc -l|tr -d ' '` > > let line_count-=2 > > > > if [ "$line_count" == "2" ] > > then > > iptables -t mangle -I PREROUTING 3 -j MARK --set-mark 3 > > else > > iptables -t mangle -R PREROUTING 3 -j MARK --set-mark 3 > > fi > > > > The following is the portion of the firewall that manipulates the > > routing tables: > > ... > > export lan_net="192.168.1.0/24" > > ... > > export w1nweb="192.168.3.18" > > export w1nxer="192.168.3.2" > > > > ip route flush table 2 > > ip route flush table 3 > > > > ip route add $lan_net dev eth0 via $w1nweb table 2 > > ip route add $lan_net dev eth0 via $w1nxer table 3 > > > > ip rule add fwmark 2 table 2 > > ip rule add fwmark 3 table 3 > > > > As far as traceroute, Network is unreachable doesn't seem traceable. > > > > Another routing table can get used, the problem is that the MARK > > applied to packets in the PREROUTING chain of the mangle table > > never seems to trigger use of the appropriate table. I'm beginning > > to wonder if there is some sysctl option breaking this or something > > similar. > > > > _______________________________________________ > > PLUG mailing list > > PLUG@lists.pdxlinux.org > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > > > well, I'm glad you included more information, but like Mike, your situation > is now way over my head. I agree with him that it would be in your best > interests to attempt to simplify your network configuration. but, if this > is > the way you need it to be, then you should be prepared for this kind of > consequence that occurs naturally as a result of complexity. > > -wes > _______________________________________________ > PLUG mailing list > PLUG@lists.pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug >
Why not just add a route statement in one of your startup scripts? It's a kludgy hack but it gets the job done. Drew- _______________________________________________ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug