Stephane Ouellette
2002-Oct-07 16:28 UTC
Problem routing packets using fwmark and netfilter
Folks, I will install in a near future a firewall/router on which two NICs are connected to two different ISPs. I have read the iproute2 documentation and have been able to do some policy routing. SUCCESSFUL TEST --------------- Let''s start with a simple ping test. I will ping two known computers on the internet using different gateways. Following are the commands I have entered to enable policy routing using the destination address as the routing key (Suppose that eth0 and eth1 are the NICs connected to my ISPs): ip route add $LAN1 dev eth0 src $MYADDR1 table lan1 ip route add default via $GATEWAY1 table lan1 ip route add $LAN2 dev eth1 src $MYADDR2 table lan2 ip route add default via $GATEWAY2 table lan2 ip rule add to $TESTMACHINE1 table lan1 ip rule add to $TESTMACHINE2 table lan2 Now, pinging $TESTMACHINE1 or $TESTMACHINE2 shows the expected behaviour. MY PROBLEM ---------- Suppose I want to do some policy routing using the fwmark as a routing key. I should have entered the following commands: iptables -t mangle -A OUTPUT -o eth0 -p icmp --icmp-type \ -d $TESTMACHINE1 -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -o eth1 -p icmp --icmp-type \ -d $TESTMACHINE2 -j MARK --set-mark 2 ip rule add fwmark 1 table lan1 ip rule add fwmark 2 table lan2 Now, pinging $TESTMACHINE1 or $TESTMACHINE2 always uses the same gateway! The iptables rule counters increment as expected but it seems that the fwmark has no effect on routing !!! MY CONFIGURATION ---------------- RedHat 7.2 on i686 Kernel 2.4.20-pre9 (all options related to advanced routing are enabled) Today''s CVS snapshot of the Netfilter project Any suggestion would be greatly appreciated !!! Stephane. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Ramin Alidousti
2002-Oct-07 17:11 UTC
Re: Problem routing packets using fwmark and netfilter
On Mon, Oct 07, 2002 at 12:28:46PM -0400, Stephane Ouellette wrote:> MY PROBLEM > ---------- > > Suppose I want to do some policy routing using the fwmark as a routing > key. I should have entered the following commands: > > iptables -t mangle -A OUTPUT -o eth0 -p icmp --icmp-type \ > -d $TESTMACHINE1 -j MARK --set-mark 1 > iptables -t mangle -A OUTPUT -o eth1 -p icmp --icmp-type \ > -d $TESTMACHINE2 -j MARK --set-mark 2I''d remove the ''-o'' option as you don''t know yet where the packets would be routed to. Ramin PS. You forgot the --icmp-type argument. Did your linux box take these commands?> ip rule add fwmark 1 table lan1 > ip rule add fwmark 2 table lan2 > > Now, pinging $TESTMACHINE1 or $TESTMACHINE2 always uses the same > gateway! The iptables rule counters increment as expected but it seems > that the fwmark has no effect on routing !!! > > > MY CONFIGURATION > ---------------- > > RedHat 7.2 on i686 > Kernel 2.4.20-pre9 (all options related to advanced routing are enabled) > Today''s CVS snapshot of the Netfilter project > > > > Any suggestion would be greatly appreciated !!! > > Stephane. > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Stephane Ouellette
2002-Oct-07 22:21 UTC
Re: Problem routing packets using fwmark and netfilter
Ramin Alidousti wrote:> On Mon, Oct 07, 2002 at 12:28:46PM -0400, Stephane Ouellette wrote: > > >>MY PROBLEM >>---------- >> >>Suppose I want to do some policy routing using the fwmark as a routing >>key. I should have entered the following commands: >> >>iptables -t mangle -A OUTPUT -o eth0 -p icmp --icmp-type \ >>-d $TESTMACHINE1 -j MARK --set-mark 1 >>iptables -t mangle -A OUTPUT -o eth1 -p icmp --icmp-type \ >>-d $TESTMACHINE2 -j MARK --set-mark 2 > > > I''d remove the ''-o'' option as you don''t know yet where the packets > would be routed to. > > Ramin > PS. You forgot the --icmp-type argument. Did your linux box take > these commands? >Ramin, I mistyped the commands I entered. In fact, you should read: iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \ -d $TESTMACHINE1 -j MARK --set-mark 1 iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \ -d $TESTMACHINE2 -j MARK --set-mark 2 Stephane> > >>ip rule add fwmark 1 table lan1 >>ip rule add fwmark 2 table lan2 >> >>Now, pinging $TESTMACHINE1 or $TESTMACHINE2 always uses the same >>gateway! The iptables rule counters increment as expected but it seems >>that the fwmark has no effect on routing !!! >> >> >>MY CONFIGURATION >>---------------- >> >>RedHat 7.2 on i686 >>Kernel 2.4.20-pre9 (all options related to advanced routing are enabled) >>Today''s CVS snapshot of the Netfilter project >> >> >> >>Any suggestion would be greatly appreciated !!! >> >>Stephane. >> >> >>_______________________________________________ >>LARTC mailing list / LARTC@mailman.ds9a.nl >>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Ramin Alidousti
2002-Oct-07 23:51 UTC
Re: Problem routing packets using fwmark and netfilter
On Mon, Oct 07, 2002 at 06:21:52PM -0400, Stephane Ouellette wrote:> >>Suppose I want to do some policy routing using the fwmark as a routing > >>key. I should have entered the following commands: > >> > >>iptables -t mangle -A OUTPUT -o eth0 -p icmp --icmp-type \ > >>-d $TESTMACHINE1 -j MARK --set-mark 1 > >>iptables -t mangle -A OUTPUT -o eth1 -p icmp --icmp-type \ > >>-d $TESTMACHINE2 -j MARK --set-mark 2 > > > > > >I''d remove the ''-o'' option as you don''t know yet where the packets > >would be routed to. > > > >Ramin > >PS. You forgot the --icmp-type argument. Did your linux box take > >these commands? > > > > Ramin, > > I mistyped the commands I entered. In fact, you should read:That''s what I figured :-) But anyway, did you try these rules without the ''-o'' options? Another point is that if I remember correctly, either mangle or nat used to have problems with the OUTPUT chain in the past. Ramin> > iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \ > -d $TESTMACHINE1 -j MARK --set-mark 1 > iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \ > -d $TESTMACHINE2 -j MARK --set-mark 2 > > Stephane_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/