Grant Furick wrote:> I am trying to use netfilter (iptables) to mark packets bound for port
> 25 on the internal interface and then using iproute2 to route those
> marked packets over the DSL. Everything seems to work as intended
> except that email traffic is going out over the internal ip (thru cable)
> and not the DSL. So it doesn''t seem like the marking and routing
that I
> have setup is working right.
>
> My scenario is:
> 1 Redhat 7.3 Linux machine (kernel 2.4.18-3)
> 1 network appliance
> 1 dsl router
> 1 cable modem
>
> The linux machine has:
> 2 nics (1 static ip DSL, 2nd ip is internal 192.168.0.10 goes through
> network appliance via nat out cable modem)
>
> I want all traffic coming in over DSL to go out over DSL and all traffic
> coming in to the internal IP to go out the internal IP. There are
> actually other internal ip lan clients but they are separate from this
> scenario. The one caveat would be to have all outgoing smtp traffic go
> over the DSL. Sendmail runs on all interfaces. I need all outbound
> email to go out over DSL because some email servers
> (earthlink/mindspring) are blocking mail servers coming from certain
> cable modem ips. The last caveat is that I want the default route of
> traffic, or all originating traffic that is non smtp, to go out over the
> cable modem to take advantage of the fast download speed of cable as
> compared to the slower DSL.
>
> Here is the script I am running out of rc.local at boot. Can anyone
> suggest changes to make it work?
>
> #!/bin/sh
>
> P1_NET=65.X.X.208
> P2_NET=192.168.0.0
> # DSL
> IF1=eth0
> # Internal nat''d to cable
> IF2=eth1
> IP1=65.X.X.210
> IP2=192.168.0.10
> P1=65.X.X.209
> P2=192.168.0.1
>
> ip route add $P1_NET dev $IF1 src $IP1 table DSL
> ip route add default via $P1 table DSL
> ip route add $P2_NET dev $IF2 src $IP2 table CABLE
> ip route add default via $P2 table CABLE
> ip route add $P1_NET dev $IF1 src $IP1
> ip route add $P2_NET dev $IF2 src $IP2
> ip route add default via $P2
> ip route add default via $P1 dev $IF1 table MAIL.OUT
> ip rule add fwmark 1 table MAIL.OUT prio 220
> ip rule add from $IP1 table DSL prio 230
> ip rule add from $IP2 table CABLE prio 240
> ip route flush cache
>
> # End of script
>
> This is the iptables cmd I ran and is restored on reboot by iptables:
> iptables -A PREROUTING -i eth1 -t mangle -p tcp --dport 25 -j MARK
> --set-mark 1
>
> Here is the rt_tables file:
> #
> # reserved values
> #
> #255 local
> #254 main
> #253 default
> #0 unspec
>
> #
> # local
> #
> #1 inr.ruhep
> 200 DSL
> 201 CABLE
> 202 MAIL.OUT
>
> I appreciate any help or direction. I have kind of merged two scripts
> from
> http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple-links.ht
> ml
> And
> http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html
>
> Do I need to enable ip forwarding or turn off the reverse path filer?
>
> Grant Furick
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
Grant,
First of all, locally-generated trafic doesn''t go through the
MANGLE/PREROUTING table. It goes through the tables using the following
order : MANGLE/OUTPUT, NAT/OUTPUT, FILTER/OUTPUT, MANGLE/POSTROUTING and
NAT/POSTROUTING.
I''ve been trying to use the fwmark as a routing key for
locally-generated trafic and never succeeded. The reason is that the
routing decision is taken BEFORE the packet is sent to the MANGLE/OUTPUT
table. On the other hand, I can use the fwmark as a routing key for
forwarded trafic.
I''m no expert in sendmail, but I suggest that you modify its
configuration to achieve your goal, which is selecting the output interface.
To answer your last questions, you don''t need to enable forwarding
nor disable the reverse path filtering.
Regards,
Stephane.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/