LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-09-2010, 05:07 AM   #16
bakdong
Member
 
Registered: Apr 2009
Posts: 214

Rep: Reputation: 44

Quote:
Originally Posted by andrewhiggs View Post
What should be in ip route show table LocalOnly? This is what it currently has in it :
Code:
default dev ppp1  scope link
This is from one of my tables:

10.0.2.0/24 dev eth1 proto static scope link src 10.0.2.1
default via 10.0.2.100 dev eth1 proto static src 10.0.2.1
 
Old 04-13-2010, 08:34 AM   #17
andrewhiggs
LQ Newbie
 
Registered: Apr 2010
Location: ZA
Distribution: Slackware 13, Ubuntu 9.10
Posts: 21

Original Poster
Rep: Reputation: 11
Unhappy

Hi All,

I am really struggling to understand what I am missing or not doing to get this working. I am attempting to get zhjim's suggestion to work.

ASCII art for reference :
Code:
mail----+
        |                                      +-----------------+
        |                                      |                 |
        |               +------------ppp0------+       I         +--------store1
        |               |                      |       N         |
        |           +--------------+           |       T         |
        |           |              |           |       E         | 
user1---+-----------+ router (vpn) |           |       R         |
        |           |              |           |       N         |
        |           +--------------+           |       E         |
        |               |                      |       T         |
        |               +------------ppp1------+                 +--------store2
        |                                      |                 |
        |                                      +-----------------+
user2---+
He suggested routing everything from mail (172.16.48.200) to ppp1. What I have done to try to achieve this was the following:
ip rule add from 172.16.48.200 table LocalOnly
This resulted in ip rule show giving the following :
Code:
0:	from all lookup local 
32764:	from 172.16.48.200 lookup LocalOnly 
32766:	from all lookup main 
32767:	from all lookup default
ip route show table LocalOnly has the following output :
Code:
default via 1XX.2XX.1XX.X dev ppp1
Once this is done I remove the route from the main routing table (I assume this would be needed) so that connections coming from our local network to the stores can go out over the default route.

With the route removed from the main routing table the connection is broken.

What am I doing wrong? Do I need to do any SNATing? Both ppp0 and ppp1 are masqueraded.

Regards and thanks for all the help so far.
 
Old 04-13-2010, 05:43 PM   #18
TimothyEBaldwin
Member
 
Registered: Mar 2009
Posts: 249

Rep: Reputation: 27
Quote:
Originally Posted by andrewhiggs View Post
ip rule add from 172.16.48.200 table LocalOnly
Quote:
What am I doing wrong? Do I need to do any SNATing? Both ppp0 and ppp1 are masqueraded.
masquerade = SNAT

Did you remember ip route flush cache?

According to the Linux Advanced Routing & Traffic Control HOWTO, you should the public IP in the ip rule command. Since masquerading is in use That should work regardless of which host is sending.

Two errors in your original approach were only marking half of the incoming packets, and not coping the connection mark to the packet mark on outgoing packets.

Last edited by TimothyEBaldwin; 04-13-2010 at 05:56 PM.
 
Old 04-13-2010, 07:57 PM   #19
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
To OP.
You know, I think, if router receive incoming connection through interface PPP1, it should write it in its NAT table and it remembers it. So it connection physically can't go to PPP0.
I do not think you should do anything about it, your router does it.
Please, check it first.

Last edited by nimnull22; 04-13-2010 at 08:27 PM.
 
Old 04-14-2010, 03:41 AM   #20
TimothyEBaldwin
Member
 
Registered: Mar 2009
Posts: 249

Rep: Reputation: 27
Quote:
Originally Posted by nimnull22 View Post
To OP.
You know, I think, if router receive incoming connection through interface PPP1, it should write it in its NAT table and it remembers it. So it connection physically can't go to PPP0.
I do not think you should do anything about it, your router does it.
Please, check it first.
No, Linux NAT does not record anything about network interfaces, only IPv4 addresses and port numbers.
 
Old 04-14-2010, 05:27 AM   #21
andrewhiggs
LQ Newbie
 
Registered: Apr 2010
Location: ZA
Distribution: Slackware 13, Ubuntu 9.10
Posts: 21

Original Poster
Rep: Reputation: 11
Quote:
Originally Posted by TimothyEBaldwin View Post
masquerade = SNAT

Did you remember ip route flush cache?

According to the Linux Advanced Routing & Traffic Control HOWTO, you should the public IP in the ip rule command. Since masquerading is in use That should work regardless of which host is sending.

Two errors in your original approach were only marking half of the incoming packets, and not coping the connection mark to the packet mark on outgoing packets.
Hi Timothy,

Thanks for the reply. I have followed all the steps in 4.2.1 of the supplied link and it is still not working. I have done an ip route flush cache. It doesn't seem to make a difference, or at least it doesn't get it working. If I remove the route (ip del -net 196.215.0.0/16) from the main routing table the connection breaks.

I just can't seem to grasp why not.

Regards
 
Old 04-14-2010, 05:30 AM   #22
andrewhiggs
LQ Newbie
 
Registered: Apr 2010
Location: ZA
Distribution: Slackware 13, Ubuntu 9.10
Posts: 21

Original Poster
Rep: Reputation: 11
Quote:
Originally Posted by nimnull22 View Post
To OP.
You know, I think, if router receive incoming connection through interface PPP1, it should write it in its NAT table and it remembers it. So it connection physically can't go to PPP0.
I do not think you should do anything about it, your router does it.
Please, check it first.
Thanks nimnull22 for the suggestion, but just to clarify, I tried it and it didn't work.

Regards

Last edited by andrewhiggs; 04-14-2010 at 05:31 AM.
 
Old 04-14-2010, 10:34 AM   #23
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
If it is Linux router, if has CONNECTION TRACKER=nf_conntrack, and if incoming connection was established from IP=ppp0 it will newer go out from any other interfaces.

You can see you self: /proc/net/nf_conntrack

Last edited by nimnull22; 04-14-2010 at 10:48 AM.
 
Old 04-15-2010, 02:07 AM   #24
andrewhiggs
LQ Newbie
 
Registered: Apr 2010
Location: ZA
Distribution: Slackware 13, Ubuntu 9.10
Posts: 21

Original Poster
Rep: Reputation: 11
Quote:
Originally Posted by nimnull22 View Post
If it is Linux router, if has CONNECTION TRACKER=nf_conntrack, and if incoming connection was established from IP=ppp0 it will newer go out from any other interfaces.

You can see you self: /proc/net/nf_conntrack
Hi nimnull22,

I have nf_conntrack loaded. The connections coming into ppp1 are redirected to another machine (mail). The returning packets are routed back out via default route (ppp0) unless I set routes to ppp1.

I am going to setup the connection directly on the mail server for now as this is hopefully only a temporary problem.

Thanks again to all those who helped.

Regards
 
Old 04-15-2010, 10:11 AM   #25
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
You know, if you have two gateway to go outside, should two default route.
If, only if you want to test it, you can add second default route, but first delete one you have right now.

It is simple, look on this example:

Code:
echo "1 First_ISP" >> /etc/iproute2/rt_tables
echo "2 Second_ISP" >> /etc/iproute2/rt_tables

ip route add 192.168.1.0/24 dev eth0 src 192.168.1.200 table First_ISP
ip route add default via 192.168.1.1 table First_ISP
ip route add 192.168.0.0/24 dev eth2 src 192.168.0.200 table Second_ISP
ip route add default via 192.168.0.1 table Second_ISP
I got it from: http://www.linuxquestions.org/linux/..._Multiple_DSLs
There is rules to switch between two routes, but I do not think you need it.

Try if you want.
 
Old 04-16-2010, 11:58 AM   #26
TimothyEBaldwin
Member
 
Registered: Mar 2009
Posts: 249

Rep: Reputation: 27
Quote:
Originally Posted by nimnull22 View Post
If it is Linux router, if has CONNECTION TRACKER=nf_conntrack, and if incoming connection was established from IP=ppp0 it will newer go out from any other interfaces.

You can see you self: /proc/net/nf_conntrack
One can not see it there, because it is not there. That file contains lines like:
Code:
ipv4     2 tcp      6 431993 ESTABLISHED src=10.211.93.8 dst=10.211.92.200 sport=47914 dport=8888 src=10.211.92.1 dst=10.211.92.4 sport=80 dport=47914 [ASSURED] use=2
It should be obvious that there is no reference to any network interfaces, furthermore unless configured using "ip rule" or equivalent the source address of the packet is NOT used to determine outgoing interface.

Quote:
Originally Posted by nimnull22 View Post
Code:
echo "1 First_ISP" >> /etc/iproute2/rt_tables
echo "2 Second_ISP" >> /etc/iproute2/rt_tables

ip route add 192.168.1.0/24 dev eth0 src 192.168.1.200 table First_ISP
ip route add default via 192.168.1.1 table First_ISP
ip route add 192.168.0.0/24 dev eth2 src 192.168.0.200 table Second_ISP
ip route add default via 192.168.0.1 table Second_ISP
I got it from: http://www.linuxquestions.org/linux/..._Multiple_DSLs
There is rules to switch between two routes, but I do not think you need it.

Try if you want.
That's not sufficient, as that stands those routes will be unused because no routing policy database entry refers to them. The following commands are not optional:

Code:
ip rule add from 192.168.1.200 table First_ISP
ip rule add from 192.168.0.200 table Second_ISP
To andrewhiggs, can we see the output of these commands:
Code:
ip addr show
ip rule show
ip route show table all
iptables-save
 
Old 04-16-2010, 12:10 PM   #27
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 50
Going in a completely different direction, couldn't you just NAT the traffic that is having trouble with routing?

iptables -t nat -A PREROUTING -i ppp1 -p tcp --destination <mailserverip> -j DNAT --to-destination <mailserverip>

With that rule, all traffic inbound on ppp1 going to the mail server would be DNAT'ed to go to the mailserver.
This will effectively do nothing, EXCEPT netfilter will take care of the connection and hopefully it will go out on the right interface

Last edited by SuperJediWombat!; 04-16-2010 at 12:13 PM.
 
  


Reply

Tags
filtering, packet, routing


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
check incoming or outgoing packets ilnli Programming 1 07-24-2007 03:08 PM
Incoming and outgoing traffic (packets) increased tooparam General 4 09-22-2006 01:20 PM
logging incoming packets ip address b123coder Linux - Networking 1 11-18-2004 02:17 PM
drop incoming/outgoing packets using iptables doshiaj Linux - Security 1 06-08-2004 10:38 AM
Red Hat 9 eth0 not accepting incoming packets. BinkyTheOracle Linux - Networking 21 01-25-2004 02:28 PM


All times are GMT -5. The time now is 09:51 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration