LARTC - Oct 2003 - Policy routing with IPTABLES MARK

Hello,

I have a LINUX server with two internet connections available. One
connection is the default route. I want all the traffic to go over
this default route, but HTTP traffic to go over line #2. I think the
configuration should be similar to source policy routing. I have tried
source policy routing when I had to route one local computer via
second ISP link. But now, as I understand, I need to mark the packets
with destination port 80 and route them via the second ISP link. I
have tried to put marking rules:

echo 200 isp2 >> /etc/iproute2/rt_tables

iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 80 -j MARK
--set-mark 1

ip rule add fwmark 1 table isp2

ip route add default via 192.168.2.113 dev eth1 table isp2

But it doesn''t work for me. The #2 line is connected to the same
Ethernet card as LAN, perhaps this is the bug ??? But if I use a rule:

ip rule from 192.168.2.24 table isp2

, it works OK: local computer 192.168.2.24 comes out to the internet
via ISP2 line. But I can''t reach the same situation with IPTABLES/MARK
IP RULE FWMARK tools... :(

I would be very grateful if you gave me as much information as
possible about my problem.

   Rokas Zakarevicius


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hello,

I have a LINUX server with two internet connections available.
I want all the traffic to go over the default route, but HTTP traffic
to go over ISP2 line.
Interfaces:
eth1 192.168.2.254  - LAN 192.168.2.x
ppp0 x.x.x.106 - remote gateway x.x.x.6  - ISP1 (default route)
eth0 192.168.164.254 - remote gateway 192.168.164.113  - ISP2 (a
hardware router)

I have the following configuration:
echo 200 gate2 >> /etc/iproute2/rt_tables

server:/etc/network# ip route
x.x.x.6 dev ppp0  proto kernel  scope link  src x.x.x.106
192.168.2.0/24 dev eth1  proto kernel  scope link  src 192.168.2.254 
192.168.164.0/24 dev eth0  proto kernel  scope link  src 192.168.164.254 
default via x.x.x.6 dev ppp0

server:/etc/network# ip route list table gate2
default via 192.168.164.113 dev eth0 

server:/etc/network# ip rule
0:      from all lookup local 
32765:  from all fwmark        1 lookup gate2 
32766:  from all lookup main 
32767:  from all lookup default 

The script:
-----------------------------------------------------
#!/bin/bash

iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -P FORWARD ACCEPT

ip route flush table gate2
ip route add default via 192.168.164.113 dev eth0 table gate2
ip rule add fwmark 0x01 table gate2
ip route flush cache

iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE

iptables -t mangle -A PREROUTING -i eth1 -s 192.168.2.0/24 -p icmp -j MARK
--set-mark 0x01
iptables -t mangle -A PREROUTING -i eth1 -s 192.168.2.0/24 -p tcp -m tcp --dport
80 -j MARK --set-mark 0x01
iptables -t mangle -A PREROUTING -i eth1 -s 192.168.2.0/24 -p tcp -m tcp --dport
443 -j MARK --set-mark 0x01

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done
-------------------------------------------------------
I also mark icmp packets, that I could test my configuration using
traceroute.

It seems that my rules are working OK, with tcpdump and traceroute I
see that HTTP traffic of LAN computers go over the ISP2 line. When I
connect to the WWW page, that shows my public IP address, I see the
ISP2 line address. But after some time, part of the HTTP traffic
begins going over the default ISP1 line. I see that some HTTP traffic
goes over ISP2 line (that''s good), but also it goes over default route.
And after some time, if I connect to the WWW page, that shows my
public IP address, I see the default ISP1 IP address (that''s bad). I
do my test browsing from one of my LAN computers, there are other
computers working in the LAN, and perhaps their HTTP traffic goes OK
(over the ISP2 line), because with
tcpdump -i eth0 net 192.168.164 and port 80
I see that there are much HTTP traffic on the ISP2 line. Then I reboot
my server, for some time (about 10 minutes) everything works OK, but
then there comes my problem... :(

I am totally lost, I don''t know how to solve this problem.... :(
I would be very grateful if you helped me with this issue.

    Rokas Zakarevicius


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/