Routing based on destination port

rvo · 11-30-2008, 07:21 PM

Thanks for reading this, first of all I would like to apologize if my english isn't very good.

I have the following problem:

I'm running Slackware 12.1 as my main desktop, I have 2 ISPs and I'd like to use one internet connection (through eth0) for regular web browsing (port 80 and port 443), and the rest like im, ssh, bittorrent goes to the other internet connection (through ppp0).

First I mark the the packets that I'd like to go to eth0:

Code:

for port in http https
do
  iptables -t mangle -A PREROUTING -p tcp --dport $port -j MARK --set-mark 1
done

Then I create another routing table with a default gateway pointing to my router (192.168.0.1)

Code:

ip route add 192.168.0.0/24 dev eth0 src 192.168.0.185 table 1
ip route add default via 192.168.0.1 dev eth0 table 1

And finally, I create a rule that checks the fwmark on the packets and if it matches the table 1 is used. (Is that right?)

Code:

ip rule add fwmark 1 priority 1 table 1

But this doesn't seems to work, I've added another iptable rule for debugging my problem, here is a snippet of the log, it seems that the packets are still being routed through ppp0 and not eth0.

Code:

***foo***IN= OUT=ppp0 SRC=170.51.13.39 DST=75.126.162.205 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=11477 DF PROTO=TCP SPT=48952 DPT=80 WINDOW=5840 RES=0x00 ACK URGP=0 MARK=0x1

Does anybody knows what I should do next? Thank you very much.

eantoranz · 11-30-2008, 08:11 PM

Well.. it's been a while since I tried with this things... but let's try to "unrust" my neurons on this. :-)

What is the output of these commands:

ip addr show
ip route show default
ip route show table table1

and what is the content of /etc/iproute2/rt_tables?

Just curious, but... why did you set that in PREROUTING? It's only going to affect packets you are forwarding? Cause if you are trying to see if it works with packets you are creating on the host, you should set it in OUTPUT as well (cause those packets won't go over PREROUTING).

rvo · 11-30-2008, 09:55 PM

Ok, here they are.

Output from 'ip addr show':

Quote:

1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wmaster0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ieee802.11 00:18:e7:28:90:17 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:18:e7:28:90:17 brd ff:ff:ff:ff:ff:ff
4: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:23:54:25:17:66 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.185/24 brd 192.168.0.255 scope global eth0
inet6 fe80::223:54ff:fe25:1766/64 scope link
valid_lft forever preferred_lft forever
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,10000> mtu 1500 qdisc pfifo_fast qlen 3
link/ppp
inet 170.51.13.39 peer 10.64.64.64/32 scope global ppp0

Output from 'ip route show default':

Quote:

10.64.64.64 dev ppp0 proto kernel scope link src 170.51.13.39
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.185
127.0.0.0/8 dev lo scope link
default via 10.64.64.64 dev ppp0

Output from 'ip route show table 1':

Quote:

192.168.0.0/24 dev eth0 scope link src 192.168.0.185
default via 192.168.0.1 dev eth0

Content of '/etc/iproute2/rt_tables':

Quote:

#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep

Quote:

Just curious, but... why did you set that in PREROUTING? It's only going to affect packets you are forwarding? Cause if you are trying to see if it works with packets you are creating on the host, you should set it in OUTPUT as well (cause those packets won't go over PREROUTING).

Thank you about that, I've changed the rules to be in the OUTPUT chain of the mangle table now, but it doesn't work either. The packets are still being routed through ppp0.

eantoranz · 12-01-2008, 07:38 AM

If I'm not wrong, you have to add the table to rt_tables.

250 table1

or something like that.

Does it work now?

rvo · 12-01-2008, 09:37 AM

Hey, I've fixed my problem doing SNAT with this rule:

Quote:

iptables -t nat -A POSTROUTING -m mark --mark 5 -j SNAT --to 192.168.0.185

Then with tcpdump I can see the packets being routed through eth0 :-)

Even though it works, I dont really see the point of why I should do SNAT here, I've googled it and then added this rule. I would like to learn the 'why'.

estabroo · 12-01-2008, 02:31 PM

Did you fix your problem or did you just make everything route out 192.168.0.1?

rvo · 12-01-2008, 04:34 PM

I fixed my problem. After adding that SNAT rule packets marked with '5' are being routed to 192.168.0.1. The rest goes through ppp0. Just what I wanted. :-)

rhn · 01-11-2011, 09:01 AM

Hey, I have the same problem, except it was not fixed by either SNAT or MASQUERADE.

I created an entry in /etc/iproute2/rt_tables:

Code:

#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
1 VPN

I added a relevant route through the interface:

Code:

#ip route show table VPN
default via 192.168.2.1 dev tun0

I added a marking rule for packets:

Code:

Chain OUTPUT (policy ACCEPT 30830 packets, 6219K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   11   644 MARK       tcp  --  any    any     anywhere             anywhere            tcp dpt:smtp MARK set 0x1

and finally, a rule for setting the correct route:

Code:

#ip rule
0:	from all lookup local 
32765:	from all fwmark 0x1 lookup VPN 
32766:	from all lookup main 
32767:	from all lookup default

As a result, the packets are "half-routed" correctly. They are being sent to the correct interface, with the wrong source address. The source address is always taken from the main routing table. In the end, there is never any reply, because the packets are on the wrong network.

I tried adding a SNAT and MASQUERADE override, which work slightly better: now the packets are on the correct network and the correct interface, and I can even see TCP [SYN, ACK] replies. Unfortunately, the programs I'm using don't see any of the replies. It looks like the kernel looks up the returning packets addresses in the main table - I can only guess.

Does anyone know how to make it work? I will be grateful for the reply.

rhn · 01-11-2011, 09:14 AM

I found an ugly solution to the problem:

Code:

#echo 0 > /proc/sys/net/ipv4/conf/tun0/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/wlan0/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

Interestingly, after inserting 1's back, it still works the same way.
Source: http://www.groupsrv.com/linux/about130765.html

Does there exist a better solution? Since I'm not exactly sure what rp_filter does, I wouldn't want to modify it.

Thanks in advance!

eantoranz · 01-11-2011, 09:48 AM

Could you try setting the source address for the routing item of the default gw on the VPN table? Perhaps that could solve the problem.

Perhaps something like:
ip route add default via x.x.x.x scr y.y.y.y dev tun0 table VPN