Hi,
I read your "Linux 2.4 Advanced Routing" HOWTO, and particularly the
chapter 11 "Netfilter & iproute - marking packets".
I have two connections adsl in a server web
adsl1
|
|
|
|194.243.12.15 (eth0) SERVER WEB (eth1) 194.184.12.85 |
|
|
|
adsl2
194.184.12.81
my default gateway is 194.243.12.1 and this is the reason why I can''t
ping the adress 194.184.12.85 from another PC outside the LAN.
I configurated iproute e iptables in the follow way:
iptables:
#for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f; done
#echo 1 > /proc/sys/net/ipv4/route/flush
#iptables -A PREROUTING -i eth1 -p -t mangle -j MARK --set-mark 1
and iproute:
#echo 201 ruteradsl2 >>/etc/iproute2/rt_tables
#ip rule add fwmark 1 table routeradsl2
# ip rule ls
0: from all lookup local
32765: from all fwmark 1 lookup routeradsl2
32766: from all lookup main
32767: from all lookup default
# /sbin/ip route add default via 194.184.12.81 dev eth1 table routeradsl2
Unfortunately it doesn''t work.
I made this test:
I put after the line "iptables -A PREROUTING -i eth1 -t mangle -j
MARK --set-mark 1" the line
iptables -t nat -A PREROUTING -j LOG \
--log-level NOTICE --log-prefix "PRE DEBUG after MARK: "
then from an outside pc, I ping the address 194.184.12.81 (adsl2) with
success, then I ping the address 194.184.12.85 whitout success.
In the log of iptables there are many line like these:
May 21 15:09:22 ottavio kernel: PRE DEBUG after MARK: IN=eth1
OUTMAC=00:c0:49:b4:7f:c3:00:08:27:10:a9:a9:08:00 SRC=80.207.4.98
DST=194.184.12.85 LEN=84 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=17453 SEQ=1280
Where do I wrong?
thanks
Michele Cerioni
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello Michele,
: |194.243.12.15 (eth0) SERVER WEB (eth1) 194.184.12.85 |
: adsl2
: 194.184.12.81
So, you have a server with two ADSL connections.
+-----------------------------------+
194.243.12.1 -----| 194.243.12.15 SRV 194.184.12.85 |----- 194.184.12.81
eth0 +-----------------------------------+ eth1
You are handling the inbound packets properly, but if you were to use
tcpdump on eth0, you''d see reply packets (to your ping) leaving on eth0
with a source address of 194.184.12.85.
This is not an uncommon thing to overlook when dealing with routing
systems--there is a path in to the box, and you have correctly identified
how to handle that, but you need to tell the box how to send the outbound
packet.
: #for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f; done
Yes, you need to do this!
: #echo 1 > /proc/sys/net/ipv4/route/flush
This is equivalent to "ip route flush cache", and should be performed
after altering the routing tables or the RPDB.
: #iptables -A PREROUTING -i eth1 -p -t mangle -j MARK --set-mark 1
: and iproute:
: #echo 201 ruteradsl2 >>/etc/iproute2/rt_tables
: #ip rule add fwmark 1 table routeradsl2
: # ip rule ls
: 0: from all lookup local
: 32765: from all fwmark 1 lookup routeradsl2
: 32766: from all lookup main
: 32767: from all lookup default
: # /sbin/ip route add default via 194.184.12.81 dev eth1 table routeradsl2
Try adding the following:
# ip rule add from 194.184.12.85 lookup routeradsl2
If you want to see another full example, please consult the section on
multiple Internet connections in the linux-ip.net documentation.
http://linux-ip.net/html/adv-multi-internet.html
Good luck,
-Martin
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi, I have to use kernel 2.2.25, with ipchains but need the --set-mark facility of iptables. Is there a way to mark incoming packet ? Michele _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Michele, : I have to use kernel 2.2.25, with ipchains but need the --set-mark : facility of iptables. ipchains has a similar feature. It''s not a target as in iptables. : Is there a way to mark incoming packet ? ipchains -I input -s $SOURCE -d $DEST --mark $MARK -j ACCEPT -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/