Hi,
I have some Problems with Advanced Routing by FWMARK. Here my configuration:
static routes ( route -n ) :
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
...
192.168.1.0 10.111.111.1 255.255.255.0 UG 0 0 0 eth0
...
192.168.7.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2
192.168.6.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2
192.168.5.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2
192.168.4.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2
192.168.3.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2
192.168.2.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2
192.168.12.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2
192.168.11.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2
192.168.9.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2
192.168.8.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2
...
Our network 192.168.1.0/24 (reachable by eth0) is addressed with 192.168.10.0/24
for all other
networks, which are reachable by eth2. It works fine with some SNAT-rules and
DNAT-rules. The
Big Problem is a second 192.168.1.0-network, which is reachable by eth2. Our
network wants to
address this network with 192.168.20.0/24.
netfilterscript:
...
# workaround
(http://lists.netfilter.org/pipermail/netfilter/2000-November/006089.html)
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/route/flush
...
# rules to route packtes from 192.168.1.0 to virtual 192.168.20.0 ==> to
second 192.168.1.0
/usr/sbin/iptables -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 17
for ((i=3; i<255; i++)); do
/usr/sbin/iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -d
192.168.20.${i} -j
DNAT --to-destination 192.168.1.${i}
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.${i} -o eth2 -j SNAT
--to-source
192.168.10.${i}
...
done
...
# in /etc/iproute2/rt_tables: ... 201 m.table ...
ip rule add fwmark 17 table m.table
/sbin/ip route add 192.168.1.0/24 via 10.111.111.6 dev eth2 table m.table
...
EOnetfilterscript
> ip rule ls
0: from all lookup local
32765: from all fwmark 17 lookup m.table
32766: from all lookup main
32767: from all lookup default
> ip route list table m.table
192.168.1.0/24 via 10.111.111.6 dev eth2
But!!!!
Packets from 192.168.1.0/24 to 192.168.20.0/24 leaves the router by eth0 (with
IP-Header:
From 192.168.1.0/24 To 192.168.1.0/24) ==> DNAT Works. The mangle-rule works
too, because
I log all Packets marked with 17.
System:
SuSE Linux 8.0 with Kernel SuSE-2.4.18-4GB
Advanced Routing und RouteByFWMARK ist configured:
> cd /usr/src/linux
> make cloneconfig
> cat ./.config | grep IP | grep ROUTE
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_LARGE_TABLES=y
CONFIG_IP_MROUTE=y
What''s the Problem???
Thanks,
Basti
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Great, it works now: Mar 16 11:59:15 persephone kernel: IN=eth0 OUT=eth2 SRC=192.168.1.146 DST=192.168.1.146 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=51311 SEQ=256 Basti "Alexander W. Janssen" <yalla@ynfonatic.de> schrieb am 15.03.03 14:17:32:> > On Sat, Mar 15, 2003 at 01:38:23PM +0100, Sebastian Schneider wrote: > > /usr/sbin/iptables -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 17 > ^^ > > 0x17 ! > > ip rule add fwmark 17 table m.table > ^^ > 0x17 ! > > I had the same problem once. I realized that iproute seems to treat your 17 > implicitely as hexadecimal, whereas the iptables command accepts decimal and > hexdecimal values - depending on the 0x prefix. (Or was it vice versa? Can''t > remember.) > > Alex. > > -- > "Mr Data, when I said ''Fire at Will'', I didn''t mean for you to be so literal." > Instructions for use of this post: Insert tounge in cheek. Read as normal. >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/