LARTC - Jan 2007 - dev IFB, few questions

I''ve made some tests...

eth2 is my internal interface, LAN is connected here.

Before I had IMQ device in AB mode...
PREROUTING [A]fter NAT, POSTROUTING [B]efore NAT.
I want the same situation on ifb.

I do this in this way:
---
# incoming traffic here from LAN is before NAT
tc qdisc add dev eth2 handle ffff: ingress

# outcoming traffic here from WAN is after NAT
tc qdisc add dev eth2 root handle 1:0 htb

tc filter add dev eth2 parent ffff: protocol ip prio 1 u32 match ip src
192.168.0.0/24 flowid 1:1 action mirred egress mirror dev ifb0

tc filter add dev eth2 parent 1:0 protocol ip prio 1 u32 match ip dst
192.168.0.0/24 flowid 1:2 action mirred egress mirror dev ifb0
---

Everything is working fine. I can catch packets from and to users by
they ip address. Of course in my script I''ll use act_mirred redirect,
but now I''m testing on mirror.

But my question is... Am I doing this in right way?
Anybody knows better rules?

And another question, Is any possible to recognize if traffic is
incoming or outcoming from device using u32?
I''m doing this - ip src 192.168.0.0/24 or ip dst - but to do this I
need
to know IP addresses of my LAN. Is it possible to do this without this
knowledge? Recognize incoming and outcoming traffic on device by filters
(u32)...

Thanks in advance :)
Konrad Cempura
(a.k.a. Lenthir)

Hello, 

I came across a problem today, which after trying a number of approaches I 
could not solve, and I am hoping someone out there knows how to deal with 
this.

Situation: 

2 different internet connections on eth2 and eth3 

Traffic coming in on eth2 goes out on eth2 and traffic coming in on eth3 
goes out on eth3 (because of rt_tables, and routes, which works fine) 
unless I do a DNAT to a different machine. 

i.e. 

default route is eth3 

traffic comes in eth2 --> DNAT --> eth1 
machine behind eth1 answers correctly, but the resulting packets choose 
the default route (eth3) to go out and not the way they came in. 

or in ipaddress description: 

default route is 81.223.13.xx1

eth3 = 81.223.13.xx2
eth2 = 91.112.38.xx8

Packets coming in via 91.112.38.xx8 for port 80 get DNATed to 
192.168.10.199:80 
on returining from 192.168.10.199 they choose the default route 
81.223.13.xx2 on their way out. 

Without the DNAT the setup works fine, with the DNAT they don''t. 

I am grateful for any suggestions.

Thanks 

.peter

On 1/30/07, Peter Huetmannsberger <huetmann@site38.ping.at>
wrote:
>
> Hello,
>
> I came across a problem today, which after trying a number of approaches I
> could not solve, and I am hoping someone out there knows how to deal with
> this.
>
> Situation:
>
> 2 different internet connections on eth2 and eth3
>
> Traffic coming in on eth2 goes out on eth2 and traffic coming in on eth3
> goes out on eth3 (because of rt_tables, and routes, which works fine)
> unless I do a DNAT to a different machine.
>
> i.e.
>
> default route is eth3
>
> traffic comes in eth2 --> DNAT --> eth1
> machine behind eth1 answers correctly, but the resulting packets choose
> the default route (eth3) to go out and not the way they came in.
>
> or in ipaddress description:
>
> default route is 81.223.13.xx1
>
> eth3 = 81.223.13.xx2
> eth2 = 91.112.38.xx8
>
> Packets coming in via 91.112.38.xx8 for port 80 get DNATed to
> 192.168.10.199:80
> on returining from 192.168.10.199 they choose the default route
> 81.223.13.xx2 on their way out.
>
> Without the DNAT the setup works fine, with the DNAT they don''t.
>
> I am grateful for any suggestions.
I am very new to this, but last week i have to deal with the same and
i came to a "solution" (but i don''t know if there are better
ways to
do this)
Bah, actually two solutions: one is
http://linux-ip.net/html/linux-ip.html#adv-multi-internet, which
basically proposes adding an other address to the server you want to
dnat to,  so for one public ip dnat to one internal ip of the server,
and for the other public ip dnat to the other internal ip of the
server. So, using ip rule (and using "from")you can route answers to
the correct route

The other (i found) is using conntrack, the rule which makes the trick is:

iptables -t mangle -A PREROUTING -m conntrack --ctstate DNAT
--ctorigdst $ISP2_NET  -j MARK --set-mark 10

and then: ip rule add prio <prio> fwmark 10 table isp2.table (put it
with lower prio than the main table, or less prio than the table where
packets are routed by default)
So, adding this for the isp that DNAT is not working should be enough
(where $ISP_NET is the public ip you are dnatting or the net you are
doing DNAT (both are ok) ), but adding this to both ISPs should work
too

And almos for "free" with this cames: iptables -t mangle -A PREROUTING
-m conntrack --ctstate SNAT --ctrepldst $ISP2_NET -j MARK --set-mark
10 which makes SNAT to behave as expected with 2 (or more) ISPs
>
> Thanks
You are welcome, i hope it helps :-). And please tell me if you do
this different
>
> .peter
Rodrigo