LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 05-07-2009, 10:11 AM   #1
oskrchile
LQ Newbie
 
Registered: May 2009
Posts: 3

Rep: Reputation: 0
Question iproute2 + iptables + multiple routes + squid + with kernel 2.6.29


Hello all

I have 3 dsl lines, and use iproute and iptables to manage traffic. Yesterday, i formatted the computer because i had problem with one program: asterisk. Until yesterday, iproute and iptables work wonderfull...


All web traffic on the internal network was redirected to the proxy server with "iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128" and all web traffic from the server to internet was marked with "4" with "iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 4".

With iproute i caught the mark ("4") with "ip rule add prio 4 fwmark 4 table balance" and the table route balance was: "default nexthop dev ppp1 weight 1 nexthop dev ppp2 weight 1".

Everything worked perfect...

Linux reinstalled (ubuntu jaunty 64 bits and debian lenny 64 bits)... kernel recompiled with ALL network stuff and applied Julias patches.

When i use one route as default in each table all traffic work perfectly, but when i put 2 default routes in one table with "ip route add default table ... nexthop dev ppp1 nexthop dev ppp2" it just stop working... ICMP packets incoming and outgoing work well but all other traffic just dont work neither from server neither from nat network.

ex:
ping to 200.72.1.5 works from server and nat
ping to www.google.com doesn't work because DNS packet to resolv google.com don't work.

ex:
table main: default route with 1 dsl only
everything work well (server and nat connections)

table main: default route with 2 dsl lines
dont work nothing except ping to xxx.xxx.xxx.xxx


can someone help me?
 
Old 05-07-2009, 12:29 PM   #2
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Southern Brazil
Distribution: Debian, CentOS
Posts: 296

Rep: Reputation: 31
Well, do you have a valid DNS address (or your router's IP address) into your /etc/resolv.conf ?

If yes, do you think you could show us your entire firewall rules?
 
Old 05-07-2009, 10:01 PM   #3
oskrchile
LQ Newbie
 
Registered: May 2009
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by sparc86 View Post
Well, do you have a valid DNS address (or your router's IP address) into your /etc/resolv.conf ?

If yes, do you think you could show us your entire firewall rules?
DNS work fine.
When i use 1 route DNS at 100%.
When i use 2 route (multiples with nexthop) DNS fails as everything else except for ICMP.

My files:
FIREWALL
Quote:
firewall script:
# Permitir el paso de la red interna al exterior
echo 1 > /proc/sys/net/ipv4/ip_forward

# Se enmascara todo lo de la red interna al exterior
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp1 -s 192.168.0.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp2 -s 192.168.0.0/24 -j MASQUERADE

# Firewall stateful (nano howto)
iptables -t filter -N keep_state
iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A keep_state -j RETURN
iptables -t nat -N keep_state
iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A keep_state -j RETURN
iptables -t nat -A PREROUTING -j keep_state
iptables -t nat -A POSTROUTING -j keep_state
iptables -t nat -A OUTPUT -j keep_state
iptables -t filter -A INPUT -j keep_state
iptables -t filter -A FORWARD -j keep_state
iptables -t filter -A OUTPUT -j keep_state

# Arreglo de MTU para que sea compatible con pppoe
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# Configuracion de interfaces
ip addr add 192.168.0.1/24 dev eth0
ip addr add 192.168.1.11/24 dev eth1
ip addr add 192.168.1.12/24 dev eth2
ip addr add 192.168.1.13/24 dev eth3
ip link set eth0 up
ip link set eth1 up
ip link set eth2 up
ip link set eth3 up

# Inicio de conexiones a internet
pon 574070
sleep 5
pon 573250
sleep 5
pon 574312
sleep 5

# Conexion ppp0 como defecto
ip route add default dev ppp0

exit 0
ROUTES
Quote:
RoutesCIBERNAUTA:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.52.70.3 * 255.255.255.255 UH 0 0 0 ppp1
10.52.70.3 * 255.255.255.255 UH 0 0 0 ppp2
10.52.70.3 * 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth2
192.168.1.0 * 255.255.255.0 U 0 0 0 eth3
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
default * 0.0.0.0 U 0 0 0 ppp0
IP ROUTE
Quote:
CIBERNAUTA:/usr/src# ip route
10.52.70.3 dev ppp1 proto kernel scope link src 190.82.9.33
10.52.70.3 dev ppp2 proto kernel scope link src 190.82.9.36
10.52.70.3 dev ppp0 proto kernel scope link src 190.82.16.118
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.11
192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.12
192.168.1.0/24 dev eth3 proto kernel scope link src 192.168.1.13
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1
default dev ppp0 scope link
IPTABLES NAT
Quote:
CIBERNAUTA:/usr/src# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 560K packets, 35M bytes)
pkts bytes target prot opt in out source destination
560K 35M keep_state all -- any any anywhere anywhere

Chain POSTROUTING (policy ACCEPT 43064 packets, 3426K bytes)
pkts bytes target prot opt in out source destination
340K 23M MASQUERADE all -- any ppp0 192.168.0.0/24 anywhere
141K 6917K MASQUERADE all -- any ppp1 192.168.0.0/24 anywhere
0 0 MASQUERADE all -- any ppp2 192.168.0.0/24 anywhere

Chain OUTPUT (policy ACCEPT 42819 packets, 3414K bytes)
pkts bytes target prot opt in out source destination
42819 3414K keep_state all -- any any anywhere anywhere

Chain keep_state (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
606K 39M RETURN all -- any any anywhere anywhere
IPTABLES MANGLE
Quote:
CIBERNAUTA:/usr/src# iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 29M packets, 22G bytes)
pkts bytes target prot opt in out source destination
4895K 644M MARK tcp -- eth0 any anywhere anywhere tcp dpt:www MARK xset 0x4/0xffffffff
0 0 MARK all -- eth0 any 192.168.0.193 anywhere MARK xset 0x5/0xffffffff
9762 1255K MARK all -- eth0 any 192.168.0.197 anywhere MARK xset 0x5/0xffffffff

Chain INPUT (policy ACCEPT 5147K packets, 1999M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 24M packets, 20G bytes)
pkts bytes target prot opt in out source destination
384K 19M TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 6030K packets, 4498M bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 30M packets, 24G bytes)
pkts bytes target prot opt in out source destination
Now, the internal network with web traffic is marked with 4 and routed in table balance with:
Quote:
CIBERNAUTA:/usr/src# ip route show table balance
default dev ppp1 scope link
Work well, but if i use 2 lines with nexthop, nothing works, except, again, ICMP to xxx.xxx.xxx.xx, but not working with name address like www.google.com as example.

I've compiled again the kernel, and removed everything except what i need. I have to wait at 12 am when i close to test it.

Hope that with this info anyone can help me..

Regards
Oscar Andrés Núñez Pinto
Cibernauta
Chile

Last edited by oskrchile; 05-07-2009 at 10:04 PM.
 
Old 05-08-2009, 05:39 AM   #4
oskrchile
LQ Newbie
 
Registered: May 2009
Posts: 3

Original Poster
Rep: Reputation: 0
XD

Finally, i installed Debian 32 bits.. problem solved in 15 minutes.
---
 
  


Reply

Tags
connection, internet, iproute2, iptables, multiple


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
multiple internet connections iproute2 UDP problems razza Linux - Networking 1 04-27-2008 08:29 AM
Some help with iptables and iproute2 or route Histamine Linux - Networking 1 11-28-2007 03:53 PM
multiple routes Ammad Linux - Networking 3 08-03-2007 08:52 PM
iproute2 + squid = no balance sergiodemoura Linux - Networking 0 09-24-2004 12:42 PM
iptables and iproute2+tc source code thanhnx Linux - Networking 1 02-19-2003 08:39 AM


All times are GMT -5. The time now is 12:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration