LARTC - Feb 2006 - Routing for multiple interfaces (marking ports)

Hello guys,

    I am still in doubt about this kind of server. So my question is about
the "prio" at routing tables like:

    I have 3 tables in /etc/iproute2/rt_tables:

201 201
202 202
222 222

    In table 201 there is the rules about my internet link (frame relay)
that comes into eth0. So I made this route into it:

[root@ns2 iproute2]# ip route show table 201
default via 200.163.208.1 dev eth0  proto static  src 200.163.208.3
prohibit default  proto static  metric 1

    In table 202 there is the rules about my internet link (adsl) that comes
into eth2. So I made this route into it:

[root@ns2 iproute2]# ip route show table 202
default via 10.1.1.1 dev eth2  proto static  src 10.1.1.10
prohibit default  proto static  metric 1

    In table 222 there is the rules about both link, if I want to make
balance in them. But I dont want to balance I just want to make all traffic
from my netowork to the internet that goes to port 80 go through my DSL line
(eth2) and all the rest goes through eth0 (frame relay), so into table 222 I
made this route:

[root@ns2 iproute2]# ip route show table 222
default via 200.163.208.1 dev eth0  proto static  src 200.163.208.3

    I have marked all packges with port 80 as destination like this:

IPT="/usr/local/sbin/iptables"
$IPT -t mangle -F
$IPT -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
$IPT -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
$IPT -t mangle -A PREROUTING -d ! 200.163.208.0/25 -p tcp -m tcp --dport
80 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -d ! 200.163.208.0/25 -p udp -m udp --dport
80 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -p tcp -m mark --mark 2 -j CONNMARK --save-mark
$IPT -t mangle -A PREROUTING -p udp -m mark --mark 2 -j CONNMARK --save-mark

    Until now its all right, I think. My doubt came here. How can I set this
MARK to go ONLY to the table 202? So I made a rule like this:

/sbin/ip rule add prio 210 fwmark 2 table 202

    This is my problem. I think it is all working but I need to know how the
TABLES prio works. My list of tables and rules looks like this:

[root@ns2 iproute2]# ip rule
0:      from all lookup local
50:     from all lookup main
201:    from 200.163.208.0/26 lookup 201
202:    from 10.1.1.0/24 lookup 202
210:    from all fwmark 0x2 lookup 202
222:    from all lookup 222
32766:  from all lookup main
32767:  from all lookup default

    This prio reads tables from lower prio (0) to higher prio (32767) or it
makes reading this the other way?

Att,

Nataniel Klug

hi

Nataniel Klug wrote:
> [root@ns2 iproute2]# ip rule
> 0:      from all lookup local
> 50:     from all lookup main
> 201:    from 200.163.208.0/26 lookup 201
> 202:    from 10.1.1.0/24 lookup 202
> 210:    from all fwmark 0x2 lookup 202
> 222:    from all lookup 222
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
>     This prio reads tables from lower prio (0) to higher prio (32767) or it
> makes reading this the other way?
0 is the highest priority, this means the first rule which will be used.
so you must give your fwmark rule a higher priority, let''s say 200, in
order to have it working. otherwise the rules with prio 201 let''s go
packages from 200.163.208/26 to the link in 201 regardless of it''s
mark.

peter

-- 
:: e n d i a n
:: open source - open minds

:: peter warasin
:: http://www.endian.it   :: peter@endian.it