[SOLVED] routing based on port

palt · 11-28-2012, 09:52 AM

Hello!

I have 2 internet connections on my Linux PC. One is through eth0 interface and one is through usb0 interface. Default gateway is reachable through eth0.
There is my routing table

Code:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 usb0
192.168.12.0    *               255.255.252.0   U     0      0        0 eth0
link-local      *               255.255.0.0     U     1000   0        0 eth0
default         192.168.12.129  0.0.0.0         UG    0      0        0 eth0

My eth0 IP is addr: 192.168.12.161 Mask:255.255.252.0
and usb0 IP is addr:192.168.0.201 Mask:255.255.255.0

I want that my HTTP connections work through usb0 interface. I have read this post http://www.linuxquestions.org/questi...not-ip-486823/ and did the same settings (I use http proxy with port 3128):

Code:

echo "200	http.out" >> /etc/iproute2/rt_tables
/sbin/ip route add default via 192.168.0.202 dev usb0 table http.out
ip rule add fwmark 1 table http.out

iptables -t mangle -A OUTPUT -p tcp --dport 3128 -j MARK --set-mark 1

After this I can see that HTTP output traffic with source address 192.168.12.161 (address of my eth0 interface) starts to go through usb0 interface. But I can't esteblish connection with http server. When my client sends [SYN] packet the server answer by [SYN,ACK] packet. But this answer doesn't reach my client. I have traced this [SYN,ACK] packet in the netfilter tables and found that this packet are losed after the chain mangle:PREROUTING. So it means this packet doesn't come into the mangle:INPUT chain. In the mangle:PREROUTING chain I have no any rules to drop this packet and default policy is ACCEPT.

And I don't know why [SYN,ACK] packet are losed after the mangle:PREROUTING. But I think the problem is that [SYN,ACK] packet comes through usb0 interface (with ip address 192.168.0.201) but destination address of packet is address of my eth0 interface (192.168.12.161). And the kernel doesn't know how to route this packet. So how can I pass this packet to the mangle:INPUT chain?
Thanks a lot for any help!

acid_kewpie · 11-29-2012, 04:25 AM

I've not needed to do this myself, so there may be a subtler thing I'm not aware of, as I wouldn't have thought that LOCAL traffic would have a source IP until the route is identified, so should pick up usb0's IP from the get go (although how can it traverse iptables without it in the first place... maybe that explains it..) but clearly the traffic leaving usb0 needs to have the IP for usb0. As such you should be able to just add a MASQUERADE target on the outbound traffic:

# iptables -t nat -A POSTROUTING -o usb0 -j MASQUERADE

palt · 11-29-2012, 05:02 AM

Chris, thanks for reply. I have also tryed to do masquerading on usb0 output but it didn't help

Also I set rp_filter into 0 (echo 0 >/proc/sys/net/ipv4/conf/all/rp_filter) but it still doesn't work.

acid_kewpie · 11-29-2012, 05:22 AM

what happens to the source with the MASQ entry? what does tcpdump show leaving the interface?

palt · 11-29-2012, 06:16 AM

As I can see it is solved by swithcing of Reverse Path Filtering. At firts I tryed to do it for all of interfaces by command

Code:

echo 0 >/proc/sys/net/ipv4/conf/all/rp_filter

and it didn't help. Then I tryed to do it for usb0 interface by command

Code:

echo 0 >/proc/sys/net/ipv4/conf/usb0/rp_filter

and it helped.
Then I tryed to investigate what was realy helped, the firts or the second command. And I found that only both of these commands solve my issue.

palt · 11-29-2012, 06:22 AM

Chris, for your question about MASQ adresses. Source outcoming addresses and destination incoming addresses became as address of my usb0 interface.