LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-30-2008, 07:21 PM   #1
rvo
Member
 
Registered: Sep 2008
Location: Paraguay
Distribution: Slackware
Posts: 31

Rep: Reputation: 15
Routing based on destination port


Thanks for reading this, first of all I would like to apologize if my english isn't very good.

I have the following problem:

I'm running Slackware 12.1 as my main desktop, I have 2 ISPs and I'd like to use one internet connection (through eth0) for regular web browsing (port 80 and port 443), and the rest like im, ssh, bittorrent goes to the other internet connection (through ppp0).

First I mark the the packets that I'd like to go to eth0:
Code:
for port in http https
do
  iptables -t mangle -A PREROUTING -p tcp --dport $port -j MARK --set-mark 1
done
Then I create another routing table with a default gateway pointing to my router (192.168.0.1)
Code:
ip route add 192.168.0.0/24 dev eth0 src 192.168.0.185 table 1
ip route add default via 192.168.0.1 dev eth0 table 1
And finally, I create a rule that checks the fwmark on the packets and if it matches the table 1 is used. (Is that right?)
Code:
ip rule add fwmark 1 priority 1 table 1
But this doesn't seems to work, I've added another iptable rule for debugging my problem, here is a snippet of the log, it seems that the packets are still being routed through ppp0 and not eth0.
Code:
***foo***IN= OUT=ppp0 SRC=170.51.13.39 DST=75.126.162.205 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=11477 DF PROTO=TCP SPT=48952 DPT=80 WINDOW=5840 RES=0x00 ACK URGP=0 MARK=0x1
Does anybody knows what I should do next? Thank you very much.
 
Old 11-30-2008, 08:11 PM   #2
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,982
Blog Entries: 1

Rep: Reputation: 83
Well.. it's been a while since I tried with this things... but let's try to "unrust" my neurons on this. :-)

What is the output of these commands:

ip addr show
ip route show default
ip route show table table1

and what is the content of /etc/iproute2/rt_tables?

Just curious, but... why did you set that in PREROUTING? It's only going to affect packets you are forwarding? Cause if you are trying to see if it works with packets you are creating on the host, you should set it in OUTPUT as well (cause those packets won't go over PREROUTING).
 
Old 11-30-2008, 09:55 PM   #3
rvo
Member
 
Registered: Sep 2008
Location: Paraguay
Distribution: Slackware
Posts: 31

Original Poster
Rep: Reputation: 15
Ok, here they are.

Output from 'ip addr show':
Quote:
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wmaster0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ieee802.11 00:18:e7:28:90:17 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:18:e7:28:90:17 brd ff:ff:ff:ff:ff:ff
4: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:23:54:25:17:66 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.185/24 brd 192.168.0.255 scope global eth0
inet6 fe80::223:54ff:fe25:1766/64 scope link
valid_lft forever preferred_lft forever
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc pfifo_fast qlen 3
link/ppp
inet 170.51.13.39 peer 10.64.64.64/32 scope global ppp0
Output from 'ip route show default':
Quote:
10.64.64.64 dev ppp0 proto kernel scope link src 170.51.13.39
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.185
127.0.0.0/8 dev lo scope link
default via 10.64.64.64 dev ppp0
Output from 'ip route show table 1':
Quote:
192.168.0.0/24 dev eth0 scope link src 192.168.0.185
default via 192.168.0.1 dev eth0
Content of '/etc/iproute2/rt_tables':
Quote:
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
Quote:
Just curious, but... why did you set that in PREROUTING? It's only going to affect packets you are forwarding? Cause if you are trying to see if it works with packets you are creating on the host, you should set it in OUTPUT as well (cause those packets won't go over PREROUTING).
Thank you about that, I've changed the rules to be in the OUTPUT chain of the mangle table now, but it doesn't work either. The packets are still being routed through ppp0.
 
Old 12-01-2008, 07:38 AM   #4
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,982
Blog Entries: 1

Rep: Reputation: 83
If I'm not wrong, you have to add the table to rt_tables.

250 table1

or something like that.

Does it work now?
 
Old 12-01-2008, 09:37 AM   #5
rvo
Member
 
Registered: Sep 2008
Location: Paraguay
Distribution: Slackware
Posts: 31

Original Poster
Rep: Reputation: 15
Hey, I've fixed my problem doing SNAT with this rule:
Quote:
iptables -t nat -A POSTROUTING -m mark --mark 5 -j SNAT --to 192.168.0.185
Then with tcpdump I can see the packets being routed through eth0 :-)

Even though it works, I dont really see the point of why I should do SNAT here, I've googled it and then added this rule. I would like to learn the 'why'.
 
Old 12-01-2008, 02:31 PM   #6
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,094
Blog Entries: 2

Rep: Reputation: 111Reputation: 111
Did you fix your problem or did you just make everything route out 192.168.0.1?
 
Old 12-01-2008, 04:34 PM   #7
rvo
Member
 
Registered: Sep 2008
Location: Paraguay
Distribution: Slackware
Posts: 31

Original Poster
Rep: Reputation: 15
I fixed my problem. After adding that SNAT rule packets marked with '5' are being routed to 192.168.0.1. The rest goes through ppp0. Just what I wanted. :-)
 
Old 01-11-2011, 09:01 AM   #8
rhn
LQ Newbie
 
Registered: Sep 2010
Posts: 4

Rep: Reputation: 0
Hey, I have the same problem, except it was not fixed by either SNAT or MASQUERADE.

I created an entry in /etc/iproute2/rt_tables:

Code:
#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
1 VPN
I added a relevant route through the interface:
Code:
#ip route show table VPN
default via 192.168.2.1 dev tun0
I added a marking rule for packets:
Code:
Chain OUTPUT (policy ACCEPT 30830 packets, 6219K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   11   644 MARK       tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp MARK set 0x1
and finally, a rule for setting the correct route:
Code:
#ip rule
0:	from all lookup local 
32765:	from all fwmark 0x1 lookup VPN 
32766:	from all lookup main 
32767:	from all lookup default
As a result, the packets are "half-routed" correctly. They are being sent to the correct interface, with the wrong source address. The source address is always taken from the main routing table. In the end, there is never any reply, because the packets are on the wrong network.

I tried adding a SNAT and MASQUERADE override, which work slightly better: now the packets are on the correct network and the correct interface, and I can even see TCP [SYN, ACK] replies. Unfortunately, the programs I'm using don't see any of the replies. It looks like the kernel looks up the returning packets addresses in the main table - I can only guess.

Does anyone know how to make it work? I will be grateful for the reply.
 
Old 01-11-2011, 09:14 AM   #9
rhn
LQ Newbie
 
Registered: Sep 2010
Posts: 4

Rep: Reputation: 0
I found an ugly solution to the problem:
Code:
#echo 0 > /proc/sys/net/ipv4/conf/tun0/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/wlan0/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
Interestingly, after inserting 1's back, it still works the same way.
Source: http://www.groupsrv.com/linux/about130765.html

Does there exist a better solution? Since I'm not exactly sure what rp_filter does, I wouldn't want to modify it.

Thanks in advance!

Last edited by rhn; 01-11-2011 at 09:16 AM.
 
Old 01-11-2011, 09:48 AM   #10
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,982
Blog Entries: 1

Rep: Reputation: 83
Could you try setting the source address for the routing item of the default gw on the VPN table? Perhaps that could solve the problem.

Perhaps something like:
ip route add default via x.x.x.x scr y.y.y.y dev tun0 table VPN
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix -- Allowing SMTP Connections Based on Destination Domain zok Linux - Networking 1 02-28-2007 09:25 PM
Iptables / routing to destination address through interface Xeta Linux - Networking 7 05-10-2006 03:17 PM
How to routing same destination and ..... help ERBRMN Linux - Networking 2 02-23-2006 07:32 PM
Port based routing neos Linux - Networking 1 09-21-2005 01:15 PM
--destination-ports port[,port[,port...]] KevinGuy Linux - Networking 1 03-16-2004 06:06 PM


All times are GMT -5. The time now is 02:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration