LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-10-2006, 11:53 AM   #1
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
iptables(marking) + ip rule add fwmark 1 table 200 + ip route add via GW table 200 ??


Hi guys;
Actually i am stuck at a very basic implementation of this;

the query (for testing purpose only);

I have a Laptop : 172.16.16.250
with no default gateway; (deleted the default gw)
Code:
Network topology;
172.16.16.250 (laptop) --> *172.16.16.1 --> --> *172.16.128.1
*Gateway (cisco routers)

& then ran these below mentioned 3 commands (Actually with this procedure basically i am asking kernel to route marked packets with the route mentioned in table #200 & its not happenning & thts my concern. )
Code:
iptables -t mangle -A OUTPUT -p icmp -d 172.16.128.1 -j MARK --set-mark 1
ip rule add fwmark 1 table 200
ip route add table 200 via 172.16.16.1
Code:
#ip rou ls
172.16.16.0/22 dev eth0  proto kernel  scope link  src 172.16.16.250
Code:
#ip rou ls table 200
default via 172.16.16.1 dev eth0
Now whenever i ping 172.16.128.1 it gives me
connect : Network is unreachable.


*I did flushed all of the cached routes.
---
Stupid solution : (i do not buy this)
Though whenever i set any ip (from my lan-range -172.16.16.0/255.255.255.252; even any dead machine) as a gateway... i can ping that 172.16.128.1/

I know again tht this has to do something with networking basics; Why is it so that its not looking for the route mentioned in that table i.e. #200 ????

regards,
Amit..

Last edited by amitsharma_26; 11-10-2006 at 03:03 PM.
 
Old 11-12-2006, 06:57 AM   #2
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Original Poster
Rep: Reputation: 31
Here is the simplified version of the above problem;
(basically above one is the network topology)

With iproute2 (under *nix) we can create rules pointing to explicit routes which will be looked up prior to the static kernel routing table; so the issue of having a default gateway doesnt come in picture here.

look
even in the same scenario(above one)
with (without the use of iptables marking)
Code:
ip rule add to 172.16.128.1 table xyz
& ip route add via 172.16.16.1 table xyz
it will route my ping packets to reach the destination even when i am not having a default gateway; and as i already insisted on, these packets get traversed out even before reaching the kernel routing tables.

The problem i am having in my setup is that; the iptables marked packets are not being entertained by ip rule command. This is actually my problem.

Can anyone of you guys help me or assist me in understanding why is it so that the packets which are being marked in "-t mangle -A OUTPUT" are not being entertained by ip rule add fwmark command ???

Thanks & regards..
Amit..
www.amitsharma.linuxbloggers.com
 
Old 11-12-2006, 11:16 AM   #3
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Original Poster
Rep: Reputation: 31
..bump.. .
 
Old 11-14-2006, 08:05 AM   #4
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Original Poster
Rep: Reputation: 31
...bump...
 
Old 11-15-2006, 03:35 AM   #5
~=gr3p=~
Member
 
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227

Rep: Reputation: 30
my experience on forums says that if u keep bumping ur thread it will just be ignored and attract moderators wrath
 
Old 11-20-2006, 09:29 AM   #6
MaxMaverick
LQ Newbie
 
Registered: Jan 2004
Posts: 3

Rep: Reputation: 0
bug/fonctionnalité de linux

Je subit exactement le même problème, il est limité au routage d'un paquet local.

Si tu utilise ta machine en gateway en MARKant le paquet en PREROUTING ce problème n'apparait pas.
Il me semble que linux prend la décision de disponibilitée du réseau destination *avant* que le
paquet soit construit et puisse être MARKé et routé en conséquence.
Toutefois si tu spécifie une route (quelle qu'elle soit) pour ta destination dans la table main,
alors le paquet serait envoyé selon la regle de la table 200
 
Old 11-20-2006, 12:44 PM   #7
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by MaxMaverick
Je subit exactement le même problème, il est limité au routage d'un paquet local.

Si tu utilise ta machine en gateway en MARKant le paquet en PREROUTING ce problème n'apparait pas.
Il me semble que linux prend la décision de disponibilitée du réseau destination *avant* que le
paquet soit construit et puisse être MARKé et routé en conséquence.
Toutefois si tu spécifie une route (quelle qu'elle soit) pour ta destination dans la table main,
alors le paquet serait envoyé selon la regle de la table 200
Can anyone do the conversion of the above text in english ?
or can anyone provide some inputs about the language used.

This would be really gratefull.
 
Old 11-21-2006, 02:38 AM   #8
MaxMaverick
LQ Newbie
 
Registered: Jan 2004
Posts: 3

Rep: Reputation: 0
Talking

Quote:
Originally Posted by amitsharma_26
Can anyone do the conversion of the above text in english ?
or can anyone provide some inputs about the language used.

This would be really gratefull.
I'm terribly sorry, i did some mixup with a french forum.
Anyway i was saying that i did encounter the same problem and doing some investigations
i found that it's limited to the routing of of locally generated packet.

If you setup a router with quite the same routing process (except u'll have to using
the PREROUTING chain instead of OUTPUT) everything goes fine.
The problem appear because when localy sending a packet linux decide of the reachability of the
remote host before the data packet is even created (ie in the 'connect' fonction, before any 'send'),
so there is no way that iptable will be able to mark the packet.

Anyway (i think u have already seen that) if u create a route in main (or in another route table not using fwmark)
for your destination, even with a wrong gateway connect will succeed and then iptable with mark the packet and
it 'll use your kwmark'ed table for routing decision.

Be carefull though if the initial route destination use another source-ip address than the fwmark'ed table then the
packet will be sended using the original source-ip address and not the one in the fwmark'ed table.
 
Old 05-25-2010, 11:19 AM   #9
Jajaa Boo
LQ Newbie
 
Registered: May 2010
Posts: 1

Rep: Reputation: 0
-j MARK target is allowed in all tables but actually works ONLY in 'mangle' table. So use:

iptables -t mangle -A OUTPUT -d ... -j MARK --set-mark ...

Google for "SOLVED: iptables MARK + ip rule fwmark on locally generated packets" for deatils (sorry, forum doesn't allow me to post direct links)
 
Old 05-26-2010, 06:42 AM   #10
Ipolit
Member
 
Registered: Nov 2003
Location: Bulgaria
Distribution: Vector Linux, Morphix
Posts: 321

Rep: Reputation: 33
Can you please post your /etc/iproute2/rt_tables
because I think you have some mistake there
For me it works perfect - the ping I mean with no gateway
 
  


Reply

Tags
route


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
I am not able to add a new route to my route table using route command prashanth s j Linux - Networking 2 09-03-2005 04:34 AM
How to add a route table for eth1 and make it the default banner Linux - General 3 05-08-2005 11:14 AM
Way to update mysql table 200+ times at once macie Programming 7 04-13-2005 11:45 PM
IP Table help, Droping entire 200 block of ip's? Wide glide Linux - Security 2 12-03-2004 12:39 AM
Add Simple Route Table dwpondscum Linux - Networking 1 08-17-2003 02:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration