LARTC - May 2002 - iproute + mark question

i want to mark the pachets generated localy, and route them differently

so the logic in me was to mark in mangle in PREROUTING, beacouse it''s 
PRE, don''t work.

someone tell me to try in OUTPUT in mangle, did it and works

so iptables -A OUTPUT -t mangle -p udp --dport 50000:51000 -j MARK 
--set-to 0x1

ip rule add fwmark 0x1 table 230
ip route add default via 194... table 230


why it works

so i undestand that OUTPUT is before ROUTING, so the order is:

gen local -> OUTPUT(mangle) -> routing -> wire

does anybody have the hole packet path, a grafic, with: mangle, nat, 
filter, routing, tc, tunel, for local generated pachetd and for 
FORWARDed pachets???

C

Ciprian Niculescu wrote:
> does anybody have the hole packet path, a grafic, with: mangle, nat, 
> filter, routing, tc, tunel, for local generated pachetd and for 
> FORWARDed pachets???
This is how IPTables look like.

           /----------\         /-------\         /-----------\
IN--->---< PREROUTING >--->---< FORWARD >--->---<
POSTROUTING >--->--OUT
           \----------/         \-------/         \-----------/
              \                                            /
               \                                          /
             /-----\         /-------------\         /------\
            < INPUT >--->---< LOCAL PROCESS >--->---<
OUTPUT >
             \-----/         \-------------/         \------/


Maybe you should read some of Rusty''s Remarkably Unreliable Guides
http://netfilter.samba.org/unreliable-guides/

In particular, section 6 of Linux 2.4 Packet Filtering HOWTO
http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc.html


Daniel K.

i did this i asked, this is what it is at sectio 6, in the link you provided

Incoming                 /     \         Outgoing
        -->[Routing ]--->|FORWARD|------->
           [Decision]     \_____/        ^
                |                        |
                v                       ____
               ___                     /    \
              /   \                  |OUTPUT|
             |INPUT|                  \____/
              \___/                      ^
                |                        |
                 ----> Local Process ----

in this the local it''s never "routing decision" but
let''s say it''s for
simplicity :))

and your''s is wrong too, Local Proces -> OUTPUT -> POSTROUTING
-> Out

- so the routing decision is where?
- and i tryed to put the match in POSTROUTING and did not match

C


Daniel K. wrote:
> Ciprian Niculescu wrote:
> 
>> does anybody have the hole packet path, a grafic, with: mangle, nat, 
>> filter, routing, tc, tunel, for local generated pachetd and for 
>> FORWARDed pachets???
> 
> 
> This is how IPTables look like.
> 
>           /----------\         /-------\         /-----------\
> IN--->---< PREROUTING >--->---< FORWARD >--->---<
POSTROUTING >--->--OUT
>           \----------/         \-------/         \-----------/
>              \                                            /
>               \                                          /
>             /-----\         /-------------\         /------\
>            < INPUT >--->---< LOCAL PROCESS >--->---<
OUTPUT >
>             \-----/         \-------------/         \------/
> 
> 
> Maybe you should read some of Rusty''s Remarkably Unreliable Guides
> http://netfilter.samba.org/unreliable-guides/
> 
> In particular, section 6 of Linux 2.4 Packet Filtering HOWTO
>
http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc.html
> 
> 
> 
> Daniel K.
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Ciprian Niculescu wrote:
> i did this i asked, this is what it is at sectio 6, in the link you 
> provided
> 
> Incoming                 /     \         Outgoing
>        -->[Routing ]--->|FORWARD|------->
>           [Decision]     \_____/        ^
>                |                        |
>                v                       ____
>               ___                     /    \
>              /   \                  |OUTPUT|
>             |INPUT|                  \____/
>              \___/                      ^
>                |                        |
>                 ----> Local Process ----
> 
> in this the local it''s never "routing decision" but
let''s say it''s for
> simplicity :))
> 
> and your''s is wrong too, Local Proces -> OUTPUT ->
POSTROUTING -> Out
> 
> - so the routing decision is where?
The routing desicion is between OUTPUT an POSTROUTING,
	POSTROUTING means AFTER routing.

So you may say: "Locally generated packet" -> OUTPUT ->
"Routing
Desicion" -> POSTROUTING.

If you want to Mangle(e.g mark) Locally generated packets, you have to 
do so in the OUTPUT table. In this case it will be marked for the 
routing descicion which comes next.

Daniel K.
> - and i tryed to put the match in POSTROUTING and did not match
> 
> C
> 
> 
> Daniel K. wrote:
> 
>> Ciprian Niculescu wrote:
>>
>>> does anybody have the hole packet path, a grafic, with: mangle,
nat,
>>> filter, routing, tc, tunel, for local generated pachetd and for 
>>> FORWARDed pachets???
>>
>>
>>
>> This is how IPTables look like.
>>
>>           /----------\         /-------\         /-----------\
>> IN--->---< PREROUTING >--->---< FORWARD
>--->---< POSTROUTING >--->--OUT
>>           \----------/         \-------/         \-----------/
>>              \                                            /
>>               \                                          /
>>             /-----\         /-------------\         /------\
>>            < INPUT >--->---< LOCAL PROCESS
>--->---< OUTPUT >
>>             \-----/         \-------------/         \------/
>>
>>
>> Maybe you should read some of Rusty''s Remarkably Unreliable
Guides
>> http://netfilter.samba.org/unreliable-guides/
>>
>> In particular, section 6 of Linux 2.4 Packet Filtering HOWTO
>>
http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc.html
>>
>>
>>
>> Daniel K.
>>
>> _______________________________________________
>> LARTC mailing list / LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 
> 
> 
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

> The routing desicion is between OUTPUT an POSTROUTING,
>     POSTROUTING means AFTER routing.
> 
> So you may say: "Locally generated packet" -> OUTPUT ->
"Routing
> Desicion" -> POSTROUTING.

yes i know, i do it now, but the question was, still is, there are other 
"tips" left out of the AdvRoutingHOWTO ????

so the new/more real graph is:



      /----------\     /-------\     /-------\     /-----------\
IN->-< PREROUTING >->-< FORWARD >->-< routing
>->-< POSTROUTING >->-OUT
      \----------/     \-------/     \-------/     \-----------/
       \                                   ^
        \                                  |
        /-----\     /-------------\     /------\
       < INPUT >->-< LOCAL PROCESS >->-< OUTPUT >
        \-----/     \-------------/     \------/

it''s corect?

now that i started this thread, i want to finnish the picture :)

C

Hello,

On Tue, 14 May 2002, Daniel K. wrote:
> >
> > - so the routing decision is where?
> The routing desicion is between OUTPUT an POSTROUTING,
> 	POSTROUTING means AFTER routing.
	Wrong, the order is:

- routing decision requested from sockets
- OUTPUT
- netfilter routing hacks (rerouting after routing key change)
- POSTROUTING

	May be one day someone will update this picture in the
right way :)
> Daniel K.
Regards

--
Julian Anastasov <ja@ssi.bg>

Ciprian Niculescu wrote:
> i want to mark the pachets generated localy, and route them differently 
We have almost the same scenario except we need to use tcp instead of 
udp and we want to direct all port 80 traffic from the internal network 
out our new cable modem instead of using the older (slower) iDSL circuit.
> so iptables -A OUTPUT -t mangle -p udp --dport 50000:51000 -j MARK 
> --set-to 0x1
                                                                        
                            I think this          ^^^^^ needs to be 
--set-mark?

It seems that ''iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK 
--set-mark 0x1'' works, because iptables -t mangle -L -v outputs packet 
count sizes and shows that the specific rules are being matched.
> ip rule add fwmark 0x1 table 230
> ip route add default via 194... table 230 
We did exactly these steps as well (except we used table 1) and gave the 
rules a priority.  Is this maybe where we went wrong?

It just doesn''t work.  The packets are being marked but are apparently 
not being dumped into the correct routing table properly.  When the 
packets that are marked are logged, they have the source address of the 
iDSL circuit instead of the cable modem because the iDSL is the default 
route for the ''main'' table (I assume).  The web traffic does
not work
either.  It just seems to go out the iDSL and doesn''t appear to come 
back.  Or if it does, it does not know how to route internally for some 
reason even though the source address is the iDSL which it show know 
everything it needs to know about in order to route it back into the 
internal network.

Does routing table 1 need to have routes to the internal network?  I 
wouldn''t think so, but I could be mistaken.

-- 
Jason A. Pattie
pattieja@pcxperience.com



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

i did my work, my problem was that are diferences between HOWTO and realyty.

so let''s see your problem

Jason A. Pattie wrote:
> 
> We have almost the same scenario except we need to use tcp instead of 
> udp and we want to direct all port 80 traffic from the internal network 
> out our new cable modem instead of using the older (slower) iDSL circuit.

steps:
- mark pachets to port 80 comming from the internal interface
- put them in a different routing table
- put the default in the new table where do you want to go

> 
>> so iptables -A OUTPUT -t mangle -p udp --dport 50000:51000 -j MARK 
>> --set-to 0x1
>                                                                        
>    I think this          ^^^^^ needs to be 
> --set-mark?
yes, you right, i wrote the line from memory, not copy&paste :))

> 
> It seems that ''iptables -t mangle -A OUTPUT -p tcp --dport 80 -j
MARK
> --set-mark 0x1'' works, because iptables -t mangle -L -v outputs
packet
> count sizes and shows that the specific rules are being matched.
> 
>> ip rule add fwmark 0x1 table 230
>> ip route add default via 194... table 230 

i sugest that you mark pachets in the PREROUTING with:
iptables -t mangle -A PREROUTING -i <internal interface> -p tcp \
	--dport 80 -j MARK --set-mark 0x1

after put the
ip rule add fwmark 0x1 table 230
ip route add default via 194... table 230

to be the last lines executed in the script, in this way the rule will 
be threated first, see with "ip rule" the order


hope that helps


C

Thanks for the response.

Ciprian Niculescu wrote:
> steps:
> - mark pachets to port 80 comming from the internal interface
> - put them in a different routing table
> - put the default in the new table where do you want to go
>
>> It seems that ''iptables -t mangle -A OUTPUT -p tcp --dport 80
-j MARK
>> --set-mark 0x1'' works, because iptables -t mangle -L -v
outputs
>> packet count sizes and shows that the specific rules are being matched.
>>
>>> ip rule add fwmark 0x1 table 230
>>> ip route add default via 194... table 230 
>>
>
>
> i sugest that you mark pachets in the PREROUTING with:
> iptables -t mangle -A PREROUTING -i <internal interface> -p tcp \
>     --dport 80 -j MARK --set-mark 0x1 
sorry, forgot to mention this.  We have done this.

When doing a tcpdump on the cable modem, we were seeing packets coming 
back from (say) yahoo.com around 10-15 seconds after sending them with 
the IP address of the iDSL circuit!! which doesn''t make sense at all.
> after put the
> ip rule add fwmark 0x1 table 230
> ip route add default via 194... table 230
>
> to be the last lines executed in the script, in this way the rule will 
> be threated first, see with "ip rule" the order 
ok.
> hope that helps 
thanks.

-- 
Jason A. Pattie
pattieja@pcxperience.com



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.