Hello, I have two ISPs connected to my router. Using "ip rule" I can easily divert traffic to the diffrent uplinks. However, "ip rule" only seems to be able to send packets according to their source or destination adress. What I want is to be able to route based on protocol and source port. Is this possible, and how?
On Fri, Apr 19, 2002 at 09:09:35AM +0200, Daniel Ahlberg wrote:> Hello, > > I have two ISPs connected to my router. Using "ip rule" I can easily divert > traffic to the diffrent uplinks. However, "ip rule" only seems to be able to > send packets according to their source or destination adress. What I want is > to be able to route based on protocol and source port. Is this possible, and > how?I think ip rule has a syntax for that; if it doesn''t, use iptables or ipchains to attach a mark to packets with certain source or destination port and create a rule that works on that mark. Regards, bert -- http://www.PowerDNS.com Versatile DNS Software & Services http://www.tk the dot in .tk http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
Hello bert I have the same problem and tried all possibities i know. "ip rule" in fact doesnt route based on port because IP protocol dont know about ports. BUT u can solve the problem by using iptables/ipchains with help of MARKs - as u said. Unfortinuatly netfilter can only set MARKs in the moment the packets travers the INPUT Queue (of corresponding interface). --> netfilter is not able to set mark for _local_ created packets, because the INPUT Queue of netfilter is not passed. => In fact the MARK mechanism can only be used for incoming packets. In my scenario i would like to do port based routing on local sockets i cannot use the MARK feature at all. :( I dont know of any other method to solve the problem. Any other solutions ?? ---- I have only one "hack" in mind: + Setup my routing based on source-ip. + Change the socket() call via LD_PRELOAD to change the namespace to a predefined IP (= source-IP change) + on exection of programs on the shell i preload the new socket() when i want to route the network datas other ways (not default one). That way specified network transfers are done via an alternate route defined in "ip route". Possible one needs to HACK the source code of programs. Anyone got ideas on this medthod ? Thx Tobias On Fri, 19 Apr 2002 10:44:53 +0200 "bert hubert" <ahu@ds9a.nl> wrote:> On Fri, Apr 19, 2002 at 09:09:35AM +0200, Daniel Ahlberg wrote: > > Hello, > > > > I have two ISPs connected to my router. Using "ip rule" I can easily divert > > traffic to the diffrent uplinks. However, "ip rule" only seems to be able to > > send packets according to their source or destination adress. What I want is > > to be able to route based on protocol and source port. Is this possible, and > > how? > > I think ip rule has a syntax for that; if it doesn''t, use iptables or > ipchains to attach a mark to packets with certain source or destination port > and create a rule that works on that mark. > > Regards, > > bert > > -- > http://www.PowerDNS.com Versatile DNS Software & Services > http://www.tk the dot in .tk > http://lartc.org Linux Advanced Routing & Traffic Control HOWTO > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> I have the same problem and tried all possibities i know. > > "ip rule" in fact doesnt route based on port because > IP protocol dont know about ports. BUT u can solve the problem > by using iptables/ipchains with help of MARKs - as u said. > > Unfortinuatly netfilter can only set MARKs in the moment the > packets travers the INPUT Queue (of corresponding interface). > > --> > netfilter is not able to set mark for _local_ created packets, > because the INPUT Queue of netfilter is not passed. > > => In fact the MARK mechanism can only be used for incoming packets. > > In my scenario i would like to do port based routing on local sockets > i cannot use the MARK feature at all. :( > > > I dont know of any other method to solve the problem. > Any other solutions ??I too have encountered problems with the marking of packets. When I mark packets destined to port 80 using iptables and dump the traffic using tcpdump I can see the packet coming into the local interface (eth0) and leaving the external interface (eth1), getting a reply from the website I''m trying to visit on eth1 but the reply isnt sent to my computer on the local interface. I am however using old versions of iptables (1.2.2) and iproute (20001007) and I have yet to try out a newer version of both iproute and iptables
On Fri, Apr 19, 2002 at 03:18:01PM +0200, Tobias wrote: [...]> Unfortinuatly netfilter can only set MARKs in the moment the > packets travers the INPUT Queue (of corresponding interface). > > --> > netfilter is not able to set mark for _local_ created packets, > because the INPUT Queue of netfilter is not passed. > > => In fact the MARK mechanism can only be used for incoming packets.Prior to 2.4.18, the ''mangle'' table had PREROUTING (for incoming packets prior to routing) and OUTPUT (for locally generated packets) chains. After 2.4.18, there are INPUT, FORWARD, and POSTROUTING chains as well. I''m using the OUTPUT chain of the ''mangle'' table to set-tos values, but I''m pretty sure I can --set-mark instead. I''m unable to test it at the moment though. -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [toad.enfusion-group.com] up 26 days, 21:07, 16 users
Hello Adrian Thanks for your help. It is working with your advice to use the mangle OUTPUT table and the ascii grafik on http://netfilter.samba.org/documentation/HOWTO//netfilter-hacking-HOWTO.html#toc3.2 . My simplified ruleset is: /usr/sbin/ip rule add from $OFFICIAL_IP_of_2nd_Interface table NP /usr/sbin/ip route add default via $2_nd_Interface_Gateway dev $DEVICE_2_ROUTE_IS_AIMED table NP iptables -t mangle -A OUTPUT -p tcp --dport $PORTNUMBER -j MARK --set-mark 1 /usr/sbin/ip rule add fwmark 1 table NP /usr/sbin/ip route flush cache iptables -t nat -A POSTROUTING -o $DEVICE_2_ROUTE_IS_AIMED -p tcp --dport $PORTNUMBER -j SNAT --to $OFFICIAL_IP_of_2nd_Interface Greets Tobias On Fri, 19 Apr 2002 11:34:21 -0400 "Adrian Chung" <adrian@enfusion-group.com> wrote:> On Fri, Apr 19, 2002 at 03:18:01PM +0200, Tobias wrote: > [...] > > Unfortinuatly netfilter can only set MARKs in the moment the > > packets travers the INPUT Queue (of corresponding interface). > > > > --> > > netfilter is not able to set mark for _local_ created packets, > > because the INPUT Queue of netfilter is not passed. > > > > => In fact the MARK mechanism can only be used for incoming packets. > > Prior to 2.4.18, the ''mangle'' table had PREROUTING (for incoming > packets prior to routing) and OUTPUT (for locally generated packets) > chains. After 2.4.18, there are INPUT, FORWARD, and POSTROUTING > chains as well. > > I''m using the OUTPUT chain of the ''mangle'' table to set-tos values, > but I''m pretty sure I can --set-mark instead. I''m unable to test it > at the moment though. > > -- > Adrian Chung (adrian at enfusion-group dot com) > http://www.enfusion-group.com/~adrian > GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 > [toad.enfusion-group.com] up 26 days, 21:07, 16 users > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/