IPTABLES and IP RULES question ...

zoummuoz · 06-23-2011, 03:22 PM

Hi at all,

(and sorry for my english ... it's a pity i know ...)

My linux box :
debian stable 3.1R2 noyau 2.6.8-2-386
Three lan cards.
LAN : 89.0.7.0 (yes i know but it's like that !)
WAN1 : 192.168.100.0 -> router0 192.168.100.1
WAN2 : 192.168.101.0 -> router1 192.168.101.1
-> router2 192.168.101.2

My problem :
LAN out on the net via the default router0 : 192.168.100.1.
If the link router0 fall i want to switch my trafic on router1 et router2 separating the flow ...
So far as good ... so i :

INTERFACES :
auto eth0
iface eth0 inet static
address 89.0.7.7
netmask 255.255.255.0
network 89.0.7.0
broadcast 89.0.7.255

auto eth1
iface eth1 inet static
address 192.168.100.254
netmask 255.255.255.0
broadcast 192.168.100.255
gateway 192.168.100.1

auto eth2
iface eth2 inet static
address 192.168.101.254
netmask 255.255.255.0
broadcast 192.168.101.255

auto eth2:1
iface eth2:1 inet static
address 192.168.101.101
netmask 255.255.255.0
broadcast 192.168.101.255

IPRULES :
#*************************
# Start definitions.
#-------------------------

#clear
ip route flush cache

ip rule del fwmark 1
ip rule del fwmark 2
ip rule del fwmark 3
ip route del table 1
ip route del table 2
ip route del table 3

# Rule bouygues
ip rule add fwmark 1 table 1
# Rule orange
ip rule add fwmark 2 table 2
# Rule sfr
ip rule add fwmark 3 table 3

# To router0
ip route add default via 192.168.100.1 dev eth1 table 1
# To router1
ip route add default via 192.168.101.1 dev eth2 table 2
# To router2
ip route add default via 192.168.101.2 dev eth2 table 3

ip route flush cache

Then IPTABLES :
#*************************
# START DEFINITIONS.
#-------------------------

clear
IPTABLES="iptables"

FILTERPOLICYDEFAULT_INPUT="ACCEPT"
FILTERPOLICYDEFAULT_OUTPUT="ACCEPT"
FILTERPOLICYDEFAULT_FORWARD="ACCEPT"
NATPOLICYDEFAULT_PREROUTING="ACCEPT"
NATPOLICYDEFAULT_POSTROUTING="ACCEPT"
PORTS_UN="1024:65535"

# Gateway

# Flush FORWARD, INPUT and OUTPUT table
$IPTABLES -F
$IPTABLES -X
$IPTABLES -F FORWARD
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT

#flush nat table
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X

#flush log_and_drop
$IPTABLES -X log_and_drop
$IPTABLES -N log_and_drop

echo "#--------------------------------"
echo "# Default rules"

echo "Regle FILTER INPUT : $FILTERPOLICYDEFAULT_INPUT"
$IPTABLES -t filter -P INPUT $FILTERPOLICYDEFAULT_INPUT

echo "Regle FILTER OUTPUT : $FILTERPOLICYDEFAULT_OUTPUT"
$IPTABLES -t filter -P OUTPUT $FILTERPOLICYDEFAULT_OUTPUT

echo "Regle FILTER FORWARD : $FILTERPOLICYDEFAULT_FORWARD"
$IPTABLES -t filter -P FORWARD $FILTERPOLICYDEFAULT_FORWARD

echo "#--------------------------------"
echo "# Adress translation"
echo "Regle PREROUTING : $NATPOLICYDEFAULT_PREROUTING"
$IPTABLES -t nat -P PREROUTING $NATPOLICYDEFAULT_PREROUTING
echo "Regle POSTROUTING : $NATPOLICYDEFAULT_POSTROUTING"
$IPTABLES -t nat -P POSTROUTING $NATPOLICYDEFAULT_POSTROUTING

#*************************
# START COMMANDS.
#-------------------------

# Activate router
echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done

# Definition de log_and_drop
#$IPTABLES -A log_and_drop -j LOG --log-level debug --log-prefix "filter drop "
#$IPTABLES -A log_and_drop -j ACCEPT

#*************************
# Debut des regles.
#-------------------------

$IPTABLES -A PREROUTING -t mangle -s 89.0.7.0/24 -d 89.31.147.47 -p all -j MARK --set-mark 2
$IPTABLES -A PREROUTING -t mangle -s 89.0.7.0/24 -d 62.97.236.181 -p all -j MARK --set-mark 2

Good -> If you arrived here is that you are passionate about my post!

I add a small : ip route list :
89.0.7.0/24 dev eth0 proto kernel scope link src 89.0.7.7
192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.254
192.168.101.0/24 dev eth2 proto kernel scope link src 192.168.101.254
default via 192.168.100.1 dev eth1

Here is my worries:
WHY I NO MY TABLES 1 AND 2 ... ?

Why my preroutings don't work ? 89.31.147.47 and 62.97.236.181 take the default route (router0 192.168.100.1) and not router1.

BUT some time it works too ...?????

Thanks for all opinions.

And : i cant understand that ...

passerelle:/etc/init.d# iptables -t mangle -nvL
Chain PREROUTING (policy ACCEPT 7526K packets, 6276M bytes)
pkts bytes target prot opt in out source destination
0 0 MARK all -- eth0 * 0.0.0.0/0 89.104.200.99 MARK set 0x2
0 0 MARK all -- eth0 * 0.0.0.0/0 89.31.147.47 MARK set 0x2
0 0 MARK all -- eth0 * 0.0.0.0/0 89.161.214.217 MARK set 0x2
0 0 MARK all -- eth0 * 0.0.0.0/0 62.97.236.181 MARK set 0x2
8 722 MARK all -- * * 89.0.7.0/24 192.168.101.0/24 MARK set 0x2

Chain INPUT (policy ACCEPT 129K packets, 15M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 7396K packets, 6261M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 168K packets, 15M bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 7565K packets, 6276M bytes)
pkts bytes target prot opt in out source destination

passerelle:/etc/init.d# traceroute agriculture.gouv.fr
traceroute to agriculture.gouv.fr (89.31.147.47), 30 hops max, 38 byte packets
1 192.168.100.1 (192.168.100.1) 0.781 ms 0.735 ms 0.716 ms
2 *

dr_agon · 06-30-2011, 12:04 PM

You mixed up many things.

PREROUTING is "for altering incoming packets before routing" (from man page). You need to alter outgoing packets, so use POSTROUTING.

Find some how-to guide for configuring failover routing and try again.
Good luck!

zoummuoz · 06-30-2011, 02:13 PM

OK,
I tried that and forward .

Thanks for all.