<mjoachimiak@poczta.onet.pl>
2003-Jan-23 00:50 UTC
Re: Problems routing mail to particular interface
POM is patch-o-matic. There are useful kernel patches for routing etc. Most of them works but some are very unstable. google for it. ----- Original Message ----- From: "Jens" <jens@pacificsun.ca> To: <lartc@mailman.ds9a.nl> Sent: Friday, July 23, 2004 5:05 AM Subject: Re: [LARTC] Problems routing mail to particular interface> On Thursday 22 July 2004 17:33, George Alexandru Dragoi wrote: > > > Try also following thigs: > > install ROUTE extension from POM > > Could you explain this one please ? I don''t know what you are talkingabout.> > Thanks > > Jens > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
George Alexandru Dragoi
2004-Jul-22 09:59 UTC
Re: Problems routing mail to particular interface
Is the 192.168.1.2 an ip on the router? If yes, you''ll have to mark in OUTPUT, not PREROUTING, also, after you set up the rules and routes, did you an ip route flush cache ? I hope these works On Wed, 21 Jul 2004 20:02:32 -0700, Jens <jens@pacificsun.ca> wrote:> I have a particular problem that has caused me grief for some time now and > even though the answer is probably very basic, it has eluded me. I would > appreciate any help or pointers in the right direction. > > I have two links to the internet, one via cable and one via adsl. Although I > would want to add redundancy at a later time, all I want to get working now > is that mail from my server goes out via the adsl link (it''s a fixed IP and I > am running into too many cases where my cable account with it''s dynamic IP is > blocked by other mail servers). > I have spent considerable time trying to wrap my brain around ip tables, > routing and the such. Although I only see a slight ray of hope in ever > understanding the subject completely, my current problem doesn''t (at first > glance) seem to require a degree in rocket science. I have set up two routing > tables (adsl and shaw). I mark packets with "iptables -t mangle -A PREROUTING > -p tcp -- dport 25 -s 192.168.1.2 -j MARK --set-mark 1" and use "ip rule add > fwmark 1 table adsl". To my understanding, the result of this is that every > packet from 192.168.1.2 that comes out of my mail server via port 25 will get > market with ''1'' and that routing is decided via table adsl. The adsl table > has a default route via the adsl line. There is also a separate default > gateway set up in the regular routing table to go via the cable connection. > I seem to be missing something because I get the following result .... if I > telnet from my mail server (192.168.1.2) to another mail server via port 25, > I get a timeout. If I telnet to the same server via port 80 I get the connect > message from the other end. To me, this seems to indicate that port 25 > messages are marked and are routed differently from the port 80 messages - > just like I would expect. The question is, why the heck am I not getting > anywhere on port 25. The same setup going to the default cable provider works > just fine - this leads me to believe that I don''t have anything in the > router/firewall impeding the traffic. > What am I missing ???? > Is there any way to trace how my attempts at telnetting thru port 25 are > handled by the router ? > I would be happy to post any further information needed to sort this out. > > Jens > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
George Alexandru Dragoi
2004-Jul-22 21:17 UTC
Re: Problems routing mail to particular interface
A good think would be to give a full description to your network setup, interfaces and so on, maybe there should be stuff like -s 192... -d ! 192../24 On Thu, 22 Jul 2004 12:17:27 -0700, Jens <jens@pacificsun.ca> wrote:> 192.168.1.2 is the mail server which goes to 192.168.1.1 which is the firewall > that has the routing script and routs to one of two external interfaces. I > used PREROUTING based on some how-to''s but have never really thought about > exactly where the marking should take place. It seemed to me that PREROUTING > was a good choice for marking since the routing rules which depend on the > marking follow that. > > The flushing is something that got me before but which I am watching like a > hawk now :) > > Jens > > > > On Thursday 22 July 2004 02:59, George Alexandru Dragoi wrote: > > Is the 192.168.1.2 an ip on the router? If yes, you''ll have to mark in > > OUTPUT, not PREROUTING, also, after you set up the rules and routes, > > did you an > > ip route flush cache > > ? > > > > I hope these works > > > > On Wed, 21 Jul 2004 20:02:32 -0700, Jens <jens@pacificsun.ca> wrote: > > > I have a particular problem that has caused me grief for some time now > > > and even though the answer is probably very basic, it has eluded me. I > > > would appreciate any help or pointers in the right direction. > > > > > > I have two links to the internet, one via cable and one via adsl. > > > Although I would want to add redundancy at a later time, all I want to > > > get working now is that mail from my server goes out via the adsl link > > > (it''s a fixed IP and I am running into too many cases where my cable > > > account with it''s dynamic IP is blocked by other mail servers). > > > I have spent considerable time trying to wrap my brain around ip tables, > > > routing and the such. Although I only see a slight ray of hope in ever > > > understanding the subject completely, my current problem doesn''t (at > > > first glance) seem to require a degree in rocket science. I have set up > > > two routing tables (adsl and shaw). I mark packets with "iptables -t > > > mangle -A PREROUTING -p tcp -- dport 25 -s 192.168.1.2 -j MARK --set-mark > > > 1" and use "ip rule add fwmark 1 table adsl". To my understanding, the > > > result of this is that every packet from 192.168.1.2 that comes out of my > > > mail server via port 25 will get market with ''1'' and that routing is > > > decided via table adsl. The adsl table has a default route via the adsl > > > line. There is also a separate default gateway set up in the regular > > > routing table to go via the cable connection. I seem to be missing > > > something because I get the following result .... if I telnet from my > > > mail server (192.168.1.2) to another mail server via port 25, I get a > > > timeout. If I telnet to the same server via port 80 I get the connect > > > message from the other end. To me, this seems to indicate that port 25 > > > messages are marked and are routed differently from the port 80 messages > > > - just like I would expect. The question is, why the heck am I not > > > getting anywhere on port 25. The same setup going to the default cable > > > provider works just fine - this leads me to believe that I don''t have > > > anything in the router/firewall impeding the traffic. > > > What am I missing ???? > > > Is there any way to trace how my attempts at telnetting thru port 25 are > > > handled by the router ? > > > I would be happy to post any further information needed to sort this out. > > > > > > Jens > > > _______________________________________________ > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
George Alexandru Dragoi
2004-Jul-22 21:28 UTC
Re: Problems routing mail to particular interface
A good think would be to give a full description to your network setup, interfaces and so on, maybe there should be stuff like -s 192... -d ! 192../24 On Thu, 22 Jul 2004 12:17:27 -0700, Jens <jens@pacificsun.ca> wrote:> 192.168.1.2 is the mail server which goes to 192.168.1.1 which is the firewall > that has the routing script and routs to one of two external interfaces. I > used PREROUTING based on some how-to''s but have never really thought about > exactly where the marking should take place. It seemed to me that PREROUTING > was a good choice for marking since the routing rules which depend on the > marking follow that. > > The flushing is something that got me before but which I am watching like a > hawk now :) > > Jens > > > > On Thursday 22 July 2004 02:59, George Alexandru Dragoi wrote: > > Is the 192.168.1.2 an ip on the router? If yes, you''ll have to mark in > > OUTPUT, not PREROUTING, also, after you set up the rules and routes, > > did you an > > ip route flush cache > > ? > > > > I hope these works > > > > On Wed, 21 Jul 2004 20:02:32 -0700, Jens <jens@pacificsun.ca> wrote: > > > I have a particular problem that has caused me grief for some time now > > > and even though the answer is probably very basic, it has eluded me. I > > > would appreciate any help or pointers in the right direction. > > > > > > I have two links to the internet, one via cable and one via adsl. > > > Although I would want to add redundancy at a later time, all I want to > > > get working now is that mail from my server goes out via the adsl link > > > (it''s a fixed IP and I am running into too many cases where my cable > > > account with it''s dynamic IP is blocked by other mail servers). > > > I have spent considerable time trying to wrap my brain around ip tables, > > > routing and the such. Although I only see a slight ray of hope in ever > > > understanding the subject completely, my current problem doesn''t (at > > > first glance) seem to require a degree in rocket science. I have set up > > > two routing tables (adsl and shaw). I mark packets with "iptables -t > > > mangle -A PREROUTING -p tcp -- dport 25 -s 192.168.1.2 -j MARK --set-mark > > > 1" and use "ip rule add fwmark 1 table adsl". To my understanding, the > > > result of this is that every packet from 192.168.1.2 that comes out of my > > > mail server via port 25 will get market with ''1'' and that routing is > > > decided via table adsl. The adsl table has a default route via the adsl > > > line. There is also a separate default gateway set up in the regular > > > routing table to go via the cable connection. I seem to be missing > > > something because I get the following result .... if I telnet from my > > > mail server (192.168.1.2) to another mail server via port 25, I get a > > > timeout. If I telnet to the same server via port 80 I get the connect > > > message from the other end. To me, this seems to indicate that port 25 > > > messages are marked and are routed differently from the port 80 messages > > > - just like I would expect. The question is, why the heck am I not > > > getting anywhere on port 25. The same setup going to the default cable > > > provider works just fine - this leads me to believe that I don''t have > > > anything in the router/firewall impeding the traffic. > > > What am I missing ???? > > > Is there any way to trace how my attempts at telnetting thru port 25 are > > > handled by the router ? > > > I would be happy to post any further information needed to sort this out. > > > > > > Jens > > > _______________________________________________ > > > LARTC mailing list / LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > > > _______________________________________________ > > LARTC mailing list / LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
George Alexandru Dragoi
2004-Jul-22 23:50 UTC
Re: Problems routing mail to particular interface
Hehe, maybe it is this: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE On Thu, 22 Jul 2004 16:16:21 -0700, Jens <jens@pacificsun.ca> wrote:> On Thursday 22 July 2004 14:17, George Alexandru Dragoi wrote: > > A good think would be to give a full description to your network > > setup, interfaces and so on, maybe there should be stuff like -s > > 192... -d ! 192../24 > > Ok .... > I have two lines to the internet, each on their own interface on a debian > based firewall box. Eth0 goes to my cable provider and is set up dynamically, > eth1 goes to my adsl provider on a static ip 64.114.148.101. > Also in the firewall box are two additional interface cards - one for a DMZ > (eth3, 192.168.1.1) and one for all the regular users (eth2, 192.168.0.1). > The DMZ loop only has a single machine on it with ip 192.168.1.2. > The firewall is implemented via shorewall which sets up the various rules for > ipchains. > The DMZ box has a postfix mail server on it. All local users send to the > server and it then relays out the mail via the firewall box to the outside > world. > Is this sufficient information or do you require additional info ? > > I''ve been messing around doing some more tests which have me more confused. As > mentioned earlier, I mark all packets going to port 25 from the server box > with a ''1''. I then set up a rule that is inserted right before the ''main'' > rule to use table adsl whenever a fwmark of ''1'' is found. Table adsl just has > a default gateway via eth1 in it. The ''main'' table has a default gw via eth0. > Leaving everything the same and just playing with the test for fwmark ''1'', if > I telnet from the server box to a local ISP port 25 I get either a connection > (no fwmark branch) or nothing (fwmark branch). If I switch the default gw in > the ''main'' table to point to my adsl provider and telnet from the server box > to the ISP I can connect fine. This seems to indicate that the potential link > generated with the adsl table ''should'' work fine but of course it doesn''t. > Further, playing with the routing cache, it would appear that the fwmark test > is actually performing as should and the port 25 connection is in fact routed > via the adsl line (while having the cable line as default in the ''main'' > table). I am now wondering if there is some protocol happening that isn''t > allowed to proceed correctly ..... when I try to establish a telnet > connection on port 25 to the local ISP from the server box, is there anything > happening on any other port that has to be re-routed ? Could it be that some > other part of the protocol goes thru a different port, doesn''t get the fwmark > and actually decides to go out the main default gateway (the cable > connection) ? My mail DNS entry points to the cable connection BTW .... > > .... my brain hurts .... > > > > Jens > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
George Alexandru Dragoi
2004-Jul-23 00:33 UTC
Re: Problems routing mail to particular interface
I think there must be an SNAT/MASQUERADE for packets going out your router from DMZ Try also following thigs: install ROUTE extension from POM iptables -t mangle -A POSTROUTING -s 192.168.1.2 -p tcp --dport 25 -d ! 192.168.0.0/16 -j ROUTE --oif eth1 iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE Anyway, somehow it should work when the routes were made by iproute2 On Thu, 22 Jul 2004 17:08:14 -0700, Jens <jens@pacificsun.ca> wrote:> On Thursday 22 July 2004 16:50, George Alexandru Dragoi wrote: > > Hehe, maybe it is this: > > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE > > Well I wouldn''t be surprised if it was something as stupid as that. I tried > your suggestion but no luck :( ..... but it could easily be something along > similar lines. I will have to think thru this a bit more. > > I will try and see if tcpdump can tell me what is happening but I sure wish > there was something easier available where you can follow the packet and see > exactly what is happening and where ..... > > > > Jens > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
George Alexandru Dragoi
2004-Jul-23 05:40 UTC
Re: Problems routing mail to particular interface
http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-ROUTE It is an iptables extension to force some pachets to get routed else than routing table On www.netfilter.org you''ll see more about that patch-o-matic is I think this etensionis for pom-ng, patch-o-matic-ng for 2.6 kernels On Thu, 22 Jul 2004 21:05:43 -0700, Jens <jens@pacificsun.ca> wrote:> On Thursday 22 July 2004 17:33, George Alexandru Dragoi wrote: > > > Try also following thigs: > > install ROUTE extension from POM > > Could you explain this one please ? I don''t know what you are talking about. > > Thanks > > > > Jens > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
You could try adding a rule to each table with a "-j LOG" target (logging to standard out). This would allow you to see how the packet is mangled/handled at each step and what tables it traverses ... Thats what I usually do when I''m stuck. Regards Brian On 22 Jul 2004 at 17:08, Jens wrote:> On Thursday 22 July 2004 16:50, George Alexandru Dragoi wrote: > > Hehe, maybe it is this: > > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE > > Well I wouldn''t be surprised if it was something as stupid as that. Itried> your suggestion but no luck :( ..... but it could easily be somethingalong> similar lines. I will have to think thru this a bit more. > > I will try and see if tcpdump can tell me what is happening but Isure wish> there was something easier available where you can follow thepacket and see> exactly what is happening and where ..... > > Jens > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:http://lartc.org/ -- Brian Carrig Department of Computing & Networking Institute of Technology, Carlow Tel. No.: +353 59 9176209 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/