Hi, I have some Problems with Advanced Routing by FWMARK. Here my configuration: static routes ( route -n ) : Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface ... 192.168.1.0 10.111.111.1 255.255.255.0 UG 0 0 0 eth0 ... 192.168.7.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2 192.168.6.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2 192.168.5.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2 192.168.4.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2 192.168.3.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2 192.168.2.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2 192.168.12.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2 192.168.11.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2 192.168.9.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2 192.168.8.0 10.111.111.6 255.255.255.0 UG 0 0 0 eth2 ... Our network 192.168.1.0/24 (reachable by eth0) is addressed with 192.168.10.0/24 for all other networks, which are reachable by eth2. It works fine with some SNAT-rules and DNAT-rules. The Big Problem is a second 192.168.1.0-network, which is reachable by eth2. Our network wants to address this network with 192.168.20.0/24. netfilterscript: ... # workaround (http://lists.netfilter.org/pipermail/netfilter/2000-November/006089.html) echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 1 > /proc/sys/net/ipv4/route/flush ... # rules to route packtes from 192.168.1.0 to virtual 192.168.20.0 ==> to second 192.168.1.0 /usr/sbin/iptables -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 17 for ((i=3; i<255; i++)); do /usr/sbin/iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -d 192.168.20.${i} -j DNAT --to-destination 192.168.1.${i} /usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.${i} -o eth2 -j SNAT --to-source 192.168.10.${i} ... done ... # in /etc/iproute2/rt_tables: ... 201 m.table ... ip rule add fwmark 17 table m.table /sbin/ip route add 192.168.1.0/24 via 10.111.111.6 dev eth2 table m.table ... EOnetfilterscript> ip rule ls0: from all lookup local 32765: from all fwmark 17 lookup m.table 32766: from all lookup main 32767: from all lookup default> ip route list table m.table192.168.1.0/24 via 10.111.111.6 dev eth2 But!!!! Packets from 192.168.1.0/24 to 192.168.20.0/24 leaves the router by eth0 (with IP-Header: From 192.168.1.0/24 To 192.168.1.0/24) ==> DNAT Works. The mangle-rule works too, because I log all Packets marked with 17. System: SuSE Linux 8.0 with Kernel SuSE-2.4.18-4GB Advanced Routing und RouteByFWMARK ist configured:> cd /usr/src/linux > make cloneconfig > cat ./.config | grep IP | grep ROUTECONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_ROUTE_FWMARK=y CONFIG_IP_ROUTE_NAT=y CONFIG_IP_ROUTE_MULTIPATH=y CONFIG_IP_ROUTE_TOS=y CONFIG_IP_ROUTE_VERBOSE=y CONFIG_IP_ROUTE_LARGE_TABLES=y CONFIG_IP_MROUTE=y What''s the Problem??? Thanks, Basti _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Great, it works now: Mar 16 11:59:15 persephone kernel: IN=eth0 OUT=eth2 SRC=192.168.1.146 DST=192.168.1.146 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=51311 SEQ=256 Basti "Alexander W. Janssen" <yalla@ynfonatic.de> schrieb am 15.03.03 14:17:32:> > On Sat, Mar 15, 2003 at 01:38:23PM +0100, Sebastian Schneider wrote: > > /usr/sbin/iptables -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 17 > ^^ > > 0x17 ! > > ip rule add fwmark 17 table m.table > ^^ > 0x17 ! > > I had the same problem once. I realized that iproute seems to treat your 17 > implicitely as hexadecimal, whereas the iptables command accepts decimal and > hexdecimal values - depending on the 0x prefix. (Or was it vice versa? Can''t > remember.) > > Alex. > > -- > "Mr Data, when I said ''Fire at Will'', I didn''t mean for you to be so literal." > Instructions for use of this post: Insert tounge in cheek. Read as normal. >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/