hi all,
THE SCENARIO:
we are connected to 2 isp, both having their large network.. isp A has
gateway with ofc network while ispB has satellite gateway & hence there
are advantages to take specific routes thru specific isp.
PRESENT IMPLEMENTATION:
the present linux box with kernel-2.4.19, julains multiroute patch,
iproute-ss020116, htb3.6-020525 & iptables-1.2.7a... this box has 5
ether ports & presently doing only **source** based policy routing for
access to internet...at present no squid is implemented in this box...
things are working good for last 40-45 days !
THE RULES DEFINED:
10:
from all lookup main
50: from <ipNetispA> lookup ispA
50: from all fwmark 50 lookup ispA
75: from <ipNetispB> lookup ispB
75: from all fwmark 75 lookup GNFC
100: from <localNetA> lookup balance
100: from <localNetB> lookup balance
100: from <localNetC> lookup balance
100: from all fwmark 100 lookup balance
32766: from all lookup main
32767: from all lookup default
THE ROUTES:
[root@ICG surfNet]# ip route ls ta ispA
default via <gatewayISP-A> dev eth3 proto static src <eth3ISP-A>
prohibit default proto static metric 1
[root@ICG surfNet]# ip route ls ta ispB
default via <gatewayISP-B> dev eth0 proto static src <eth0ISP-B>
prohibit default proto static metric 1
[root@ICG surfNet]# ip route ls ta balance
default proto static
nexthop via <gatewayISP-A> dev eth3 weight 3
nexthop via <gatewayISP-B> dev eth0 weight 1
prohibit default proto static metric 1
[root@ICG surfNet]# ip route ls ta default
default via <gatewayISP-B> dev eth0
THE GOAL:
we want policy routing based on owner of the packet, in perticular we
want to handle squid to take the best path--best path according to
us(pls no BGP here).
WHAT WE TRIED:
we tried using iptables owner based rules & marked packets( as one can
see in rules above), but it didnt help.
iptables -I OUTPUT -t mangle -m owner --uid-owner <squid> -d 202.0.0.0/8
-j MARK --set-mark 50
iptables -I OUTPUT -t mangle -m owner --uid-owner <squid> -d 204.0.0.0/7
-j MARK --set-mark 50
iptables -I OUTPUT -t mangle -m owner --uid-owner <squid> -d 203.0.0.0/8
-j MARK --set-mark 75
iptables -I OUTPUT -t mangle -m owner --uid-owner <squid> -d 216.0.0.0/8
-j MARK --set-mark 75
but packets were not marked as seen by >> iptables -nvL -t mangle
& hence owner based pilicy routing not working
... hence now we turn to the list for help..
awaiting a reply ...
thanx to you all in advance...
A.H
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Friday, 11 October 2002, at 09:34:38 +0530, Arindam Haldar wrote:> THE SCENARIO: > we are connected to 2 isp, both having their large network.. isp A has > gateway with ofc network while ispB has satellite gateway & hence there > are advantages to take specific routes thru specific isp. >I suppose this box has three network connections, one to the internal network, and one for each Internet connection. So, for the traffic coming from the internal network, this box is a router.> THE RULES DEFINED: > 10: from all lookup main >"ip rule" are checked from lower to higher numbers, so once visited "table local" (prio 0) all your traffic (from all) visits "table main". I suppose "table main" doesn''t have a default route of some sort, because that would stop packet routing at that point, turning the rest of "ip rule" useless.> WHAT WE TRIED: > we tried using iptables owner based rules & marked packets( as one can > see in rules above), but it didnt help. > iptables -I OUTPUT -t mangle -m owner --uid-owner <squid> -d 202.0.0.0/8 > -j MARK --set-mark 50 > but packets were not marked as seen by >> iptables -nvL -t mangle > & hence owner based pilicy routing not working >If "iptable -t mangle -L -vn" shows no matches, it can be for two reasons: either destination address doesn''t match, or uid-owner doesn''t match. I have never used "--match owner" myself, but a quick try here seems to work, at least for a simple network application. Maybe squid runs as user "squid" (or whatever), but netfilter sees them as originating from another user, maybe root, maybe no user at all. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Woody (Linux 2.4.18-586tsc) _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello, On Fri, 11 Oct 2002, Arindam Haldar wrote:> 50: from all fwmark 50 lookup ispAfwmark in ip rule is 0x50 (it is defined and printed in hex)> iptables -I OUTPUT -t mangle -m owner --uid-owner <squid> -d 202.0.0.0/8 > -j MARK --set-mark 50and here 50 is 0x32 (not 0x50). Is that the problem? Regards -- Julian Anastasov <ja@ssi.bg> _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
ok, i have tried applying the ip rule fwmark in hex but dont see any difference !.. The routing decission is take be4 the packets comes to OUTPUT table, if thats true then it will be not possible to route **owner** as per policy routing--am i right ?? if ys then how can one achieve **owner** based policy routing in linux box ?? Julian Anastasov wrote:> Hello, > > On Fri, 11 Oct 2002, Arindam Haldar wrote: > > >>50: from all fwmark 50 lookup ispA > > > fwmark in ip rule is 0x50 (it is defined and printed in hex) > > >>iptables -I OUTPUT -t mangle -m owner --uid-owner <squid> -d 202.0.0.0/8 >> -j MARK --set-mark 50 > > > and here 50 is 0x32 (not 0x50). Is that the problem? > > Regards > > -- > Julian Anastasov <ja@ssi.bg> > > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Antonio Paulo Salgado Forster
2002-Oct-14 13:58 UTC
Re: [LARTC] owner based policy routing
iproute2 will use hex values.. you can use decimal values in iptables
rules, but use the correspondent hex when creating iproute2 rules.
Regards,
--
Forster
Julian Anastasov <ja@ssi.bg>@lists.netfilter.org on 10/11/2002 09:59:55 PM
Sent by: netfilter-admin@lists.netfilter.org
To: Arindam Haldar <arindamhaldar@inbox.lv>
cc: LARTC <lartc@mailman.ds9a.nl>, NETFILTER
<netfilter@lists.netfilter.org>
Subject: Re: [LARTC] owner based policy routing
Hello,
On Fri, 11 Oct 2002, Arindam Haldar wrote:
> 50: from all fwmark 50 lookup ispA
fwmark in ip rule is 0x50 (it is defined and printed in hex)
> iptables -I OUTPUT -t mangle -m owner --uid-owner <squid> -d
202.0.0.0/8
> -j MARK --set-mark 50
and here 50 is 0x32 (not 0x50). Is that the problem?
Regards
--
Julian Anastasov <ja@ssi.bg>
Hello,> WHAT WE TRIED: > we tried using iptables owner based rules & marked packets( as one can > see in rules above), but it didnt help. > iptables -I OUTPUT -t mangle -m owner --uid-owner <squid> -d 202.0.0.0/8 > -j MARK --set-mark 50 > iptables -I OUTPUT -t mangle -m owner --uid-owner <squid> -d 204.0.0.0/7 > -j MARK --set-mark 50 > iptables -I OUTPUT -t mangle -m owner --uid-owner <squid> -d 203.0.0.0/8 > -j MARK --set-mark 75 > iptables -I OUTPUT -t mangle -m owner --uid-owner <squid> -d 216.0.0.0/8 > -j MARK --set-mark 75Yes, I addressed once in the past this list with the very same problem. Owner based policy routing seems not to be possible. - Thilo Schulz _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello, On Mon, 14 Oct 2002, Arindam Haldar wrote:> ok, i have tried applying the ip rule fwmark in hex but dont see any > difference !..It is already in hex, use something like: ip rule ... fwmark 50 iptables ... --set-mark 0x50> The routing decission is take be4 the packets comes to OUTPUT table, ifRight> thats true then it will be not possible to route **owner** as per policy > routing--am i right ??The sockets select route and when localout selects different ISP may be the source should be changed too.> if ys then how can one achieve **owner** based policy routing in linux > box ??This is something that others should comment. NF is supposed to do everything :) Regards -- Julian Anastasov <ja@ssi.bg> _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/