Re: [LARTC] iproute + mark question
Thanks for the response. Ciprian Niculescu wrote: > steps: > - mark pachets to port 80 comming from the internal interface > - put them in a different routing table > - put the default in the new table where do you want to go > >> It seems that 'iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK >> --set-mark 0x1' works, because iptables -t mangle -L -v outputs >> packet count sizes and shows that the specific rules are being matched. >> >>> ip rule add fwmark 0x1 table 230 >>> ip route add default via 194... table 230 >> > > > i sugest that you mark pachets in the PREROUTING with: > iptables -t mangle -A PREROUTING -i -p tcp \ > --dport 80 -j MARK --set-mark 0x1 sorry, forgot to mention this. We have done this. When doing a tcpdump on the cable modem, we were seeing packets coming back from (say) yahoo.com around 10-15 seconds after sending them with the IP address of the iDSL circuit!! which doesn't make sense at all. > after put the > ip rule add fwmark 0x1 table 230 > ip route add default via 194... table 230 > > to be the last lines executed in the script, in this way the rule will > be threated first, see with "ip rule" the order ok. > hope that helps thanks. -- Jason A. Pattie [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iproute + mark question
i did my work, my problem was that are diferences between HOWTO and realyty. so let's see your problem Jason A. Pattie wrote: > > We have almost the same scenario except we need to use tcp instead of > udp and we want to direct all port 80 traffic from the internal network > out our new cable modem instead of using the older (slower) iDSL circuit. steps: - mark pachets to port 80 comming from the internal interface - put them in a different routing table - put the default in the new table where do you want to go > >> so iptables -A OUTPUT -t mangle -p udp --dport 5:51000 -j MARK >> --set-to 0x1 > >I think this ^ needs to be > --set-mark? yes, you right, i wrote the line from memory, not copy&paste :)) > > It seems that 'iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK > --set-mark 0x1' works, because iptables -t mangle -L -v outputs packet > count sizes and shows that the specific rules are being matched. > >> ip rule add fwmark 0x1 table 230 >> ip route add default via 194... table 230 i sugest that you mark pachets in the PREROUTING with: iptables -t mangle -A PREROUTING -i -p tcp \ --dport 80 -j MARK --set-mark 0x1 after put the ip rule add fwmark 0x1 table 230 ip route add default via 194... table 230 to be the last lines executed in the script, in this way the rule will be threated first, see with "ip rule" the order hope that helps C ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iproute + mark question
Ciprian Niculescu wrote: > i want to mark the pachets generated localy, and route them differently We have almost the same scenario except we need to use tcp instead of udp and we want to direct all port 80 traffic from the internal network out our new cable modem instead of using the older (slower) iDSL circuit. > so iptables -A OUTPUT -t mangle -p udp --dport 5:51000 -j MARK > --set-to 0x1 I think this ^ needs to be --set-mark? It seems that 'iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 0x1' works, because iptables -t mangle -L -v outputs packet count sizes and shows that the specific rules are being matched. > ip rule add fwmark 0x1 table 230 > ip route add default via 194... table 230 We did exactly these steps as well (except we used table 1) and gave the rules a priority. Is this maybe where we went wrong? It just doesn't work. The packets are being marked but are apparently not being dumped into the correct routing table properly. When the packets that are marked are logged, they have the source address of the iDSL circuit instead of the cable modem because the iDSL is the default route for the 'main' table (I assume). The web traffic does not work either. It just seems to go out the iDSL and doesn't appear to come back. Or if it does, it does not know how to route internally for some reason even though the source address is the iDSL which it show know everything it needs to know about in order to route it back into the internal network. Does routing table 1 need to have routes to the internal network? I wouldn't think so, but I could be mistaken. -- Jason A. Pattie [EMAIL PROTECTED] -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iproute + mark question
Hello, On Tue, 14 May 2002, Daniel K. wrote: > > > > - so the routing decision is where? > The routing desicion is between OUTPUT an POSTROUTING, > POSTROUTING means AFTER routing. Wrong, the order is: - routing decision requested from sockets - OUTPUT - netfilter routing hacks (rerouting after routing key change) - POSTROUTING May be one day someone will update this picture in the right way :) > Daniel K. Regards -- Julian Anastasov <[EMAIL PROTECTED]> ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iproute + mark question
> The routing desicion is between OUTPUT an POSTROUTING, > POSTROUTING means AFTER routing. > > So you may say: "Locally generated packet" -> OUTPUT -> "Routing > Desicion" -> POSTROUTING. yes i know, i do it now, but the question was, still is, there are other "tips" left out of the AdvRoutingHOWTO so the new/more real graph is: /--\ /---\ /---\ /---\ IN->-< PREROUTING >->-< FORWARD >->-< routing >->-< POSTROUTING >->-OUT \--/ \---/ \---/ \---/ \ ^ \ | /-\ /-\ /--\ < INPUT >->-< LOCAL PROCESS >->-< OUTPUT > \-/ \-/ \--/ it's corect? now that i started this thread, i want to finnish the picture :) C ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iproute + mark question
Ciprian Niculescu wrote: > i did this i asked, this is what it is at sectio 6, in the link you > provided > > Incoming / \ Outgoing >-->[Routing ]--->|FORWARD|---> > [Decision] \_/^ >|| >v > ___ /\ > / \ |OUTPUT| > |INPUT| \/ > \___/ ^ >|| > > Local Process > > in this the local it's never "routing decision" but let's say it's for > simplicity :)) > > and your's is wrong too, Local Proces -> OUTPUT -> POSTROUTING -> Out > > - so the routing decision is where? The routing desicion is between OUTPUT an POSTROUTING, POSTROUTING means AFTER routing. So you may say: "Locally generated packet" -> OUTPUT -> "Routing Desicion" -> POSTROUTING. If you want to Mangle(e.g mark) Locally generated packets, you have to do so in the OUTPUT table. In this case it will be marked for the routing descicion which comes next. Daniel K. > - and i tryed to put the match in POSTROUTING and did not match > > C > > > Daniel K. wrote: > >> Ciprian Niculescu wrote: >> >>> does anybody have the hole packet path, a grafic, with: mangle, nat, >>> filter, routing, tc, tunel, for local generated pachetd and for >>> FORWARDed pachets??? >> >> >> >> This is how IPTables look like. >> >> /--\ /---\ /---\ >> IN--->---< PREROUTING >--->---< FORWARD >--->---< POSTROUTING >--->--OUT >> \--/ \---/ \---/ >> \/ >> \ / >> /-\ /-\ /--\ >>< INPUT >--->---< LOCAL PROCESS >--->---< OUTPUT > >> \-/ \-/ \--/ >> >> >> Maybe you should read some of Rusty's Remarkably Unreliable Guides >> http://netfilter.samba.org/unreliable-guides/ >> >> In particular, section 6 of Linux 2.4 Packet Filtering HOWTO >> >http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc.html > >> >> >> >> Daniel K. >> >> ___ >> LARTC mailing list / [EMAIL PROTECTED] >> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iproute + mark question
i did this i asked, this is what it is at sectio 6, in the link you provided Incoming / \ Outgoing -->[Routing ]--->|FORWARD|---> [Decision] \_/^ || v ___ /\ / \ |OUTPUT| |INPUT| \/ \___/ ^ || > Local Process in this the local it's never "routing decision" but let's say it's for simplicity :)) and your's is wrong too, Local Proces -> OUTPUT -> POSTROUTING -> Out - so the routing decision is where? - and i tryed to put the match in POSTROUTING and did not match C Daniel K. wrote: > Ciprian Niculescu wrote: > >> does anybody have the hole packet path, a grafic, with: mangle, nat, >> filter, routing, tc, tunel, for local generated pachetd and for >> FORWARDed pachets??? > > > This is how IPTables look like. > > /--\ /---\ /---\ > IN--->---< PREROUTING >--->---< FORWARD >--->---< POSTROUTING >--->--OUT > \--/ \---/ \---/ > \/ > \ / > /-\ /-\ /--\ >< INPUT >--->---< LOCAL PROCESS >--->---< OUTPUT > > \-/ \-/ \--/ > > > Maybe you should read some of Rusty's Remarkably Unreliable Guides > http://netfilter.samba.org/unreliable-guides/ > > In particular, section 6 of Linux 2.4 Packet Filtering HOWTO > >http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc.html > > > > > Daniel K. > > ___ > LARTC mailing list / [EMAIL PROTECTED] > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] iproute + mark question
Ciprian Niculescu wrote: > does anybody have the hole packet path, a grafic, with: mangle, nat, > filter, routing, tc, tunel, for local generated pachetd and for > FORWARDed pachets??? This is how IPTables look like. /--\ /---\ /---\ IN--->---< PREROUTING >--->---< FORWARD >--->---< POSTROUTING >--->--OUT \--/ \---/ \---/ \/ \ / /-\ /-\ /--\ < INPUT >--->---< LOCAL PROCESS >--->---< OUTPUT > \-/ \-/ \--/ Maybe you should read some of Rusty's Remarkably Unreliable Guides http://netfilter.samba.org/unreliable-guides/ In particular, section 6 of Linux 2.4 Packet Filtering HOWTO http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc.html Daniel K. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] iproute + mark question
i want to mark the pachets generated localy, and route them differently so the logic in me was to mark in mangle in PREROUTING, beacouse it's PRE, don't work. someone tell me to try in OUTPUT in mangle, did it and works so iptables -A OUTPUT -t mangle -p udp --dport 5:51000 -j MARK --set-to 0x1 ip rule add fwmark 0x1 table 230 ip route add default via 194... table 230 why it works so i undestand that OUTPUT is before ROUTING, so the order is: gen local -> OUTPUT(mangle) -> routing -> wire does anybody have the hole packet path, a grafic, with: mangle, nat, filter, routing, tc, tunel, for local generated pachetd and for FORWARDed pachets??? C ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
