LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-09-2015, 11:30 PM   #1
fabioca
LQ Newbie
 
Registered: Sep 2015
Posts: 13

Rep: Reputation: Disabled
iptables, iproute2: rerouting not triggered after setting MARK in mangle OUTPUT table


Summary

I want to setup policy routing using fwmark on my router machine, and route some selected traffic over a vpn connection.

I use iptables to mark packets in the mangle chain both in OUTPUT and PREROUTING tables, in order to affect both local traffic and traffic incoming from the intranet.

I define a new routing table and rule so that all marked traffic will go via the vpn.

Everything works as expected when routing traffic generated from the intranet, but I have a problem with traffic generated by local processes, which is not rerouted after the mark is set in the mangle OUTPUT table.

More info

On my router machine I have 3 interfaces:
- lan0 facing the intranet
- wan0 facing the internet
- tun0 which is a VPN tun device

Code:
# ip addr
...other stuff omitted for simplicity
5: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether ea:10:be:99:32:94 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global lan0
       valid_lft forever preferred_lft forever
6: wan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether ea:10:be:99:32:94 brd ff:ff:ff:ff:ff:ff
    inet 202.156.44.182/21 brd 202.156.47.255 scope global dynamic wan0
       valid_lft 11216sec preferred_lft 11216sec
8: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.8.8.6 peer 10.8.8.5/32 scope global tun0
       valid_lft forever preferred_lft forever

For testing purpose, currently I am marking only traffic directed to a specific web site. Here below I only show the content of the tables associated with traffic generated by local processes, which is the problematic one. As you can see I also insert some logging to trace the packets.

Code:
# iptables -nvL OUTPUT -t mangle
Chain OUTPUT (policy ACCEPT 11075 packets, 1951K bytes)
 pkts bytes target     prot opt in     out     source               destination
    1   252 MARK       all  --  *      *       0.0.0.0/0            37.9.239.33          MARK or 0x4
    1   252 LOG        all  --  *      *       0.0.0.0/0            37.9.239.33          LOG flags 0 level 4 prefix "MANGLE "

# iptables -nvL OUTPUT -t nat
Chain OUTPUT (policy ACCEPT 361 packets, 25074 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    84 LOG        all  --  *      *       0.0.0.0/0            37.9.239.33          LOG flags 0 level 4 prefix "NAT "

# iptables -nvL OUTPUT -t filter
Chain OUTPUT (policy ACCEPT 11131 packets, 1961K bytes)
 pkts bytes target     prot opt in     out     source               destination
    1   252 LOG        all  --  *      *       0.0.0.0/0            37.9.239.33          LOG flags 0 level 4 prefix "FILTER "
The routing table and rules are:

Code:
# ip rule list
0: from all lookup local
198:  from all fwmark 0x4/0x4 lookup vpn
32766:   from all lookup main
32767:   from all lookup default

# ip route list table main
default via 202.156.40.1 dev wan0  proto dhcp  src 202.156.44.182  metric 1024
10.8.8.5 dev vpn-nord-hk5  proto kernel  scope link  src 10.8.8.6
192.168.1.0/24 dev lan  proto kernel  scope link  src 192.168.1.1
202.156.40.0/21 dev wan0  proto kernel  scope link  src 202.156.44.182
202.156.40.1 dev wan0  proto dhcp  scope link  src 202.156.44.182  metric 1024

# ip route list table vpn
default via 10.8.8.5 dev tun0  proto static  src 10.8.8.6
192.168.1.0/24 dev lan0  proto static  scope link  src 192.168.1.1
When I ping 37.9.239.33 from the router machine, I get no reply. I would expect the packet to follow this path:
MANGLE:OUTPUT (to wan0) => NAT:OUTPUT (to wan0) => reroute to tun0 => FILTER:OUTPUT (to tun0)

Analysing the log I see the packet enter the mangle table routed for wan0 (as expected), but when it traverses the filter table it is still routed for wan0 (which is not expected). It seems that setting the mark does not trigger rerouting.

Code:
# dmesg --notime | tail -n 3
MANGLE IN= OUT=wan0 SRC=202.156.44.182 DST=37.9.239.33 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=27744 DF PROTO=ICMP TYPE=8 CODE=0 ID=2801 SEQ=1 MARK=0x4
NAT    IN= OUT=wan0 SRC=202.156.44.182 DST=37.9.239.33 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=27744 DF PROTO=ICMP TYPE=8 CODE=0 ID=2801 SEQ=1 MARK=0x4
FILTER IN= OUT=wan0 SRC=202.156.44.182 DST=37.9.239.33 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=27744 DF PROTO=ICMP TYPE=8 CODE=0 ID=2801 SEQ=1 MARK=0x4
The mark rule in the mangle output table is actually hit, as you can see from the counter in the iptables output above.

The routing rules seems to be working correctly, because everything works fine for traffic incoming from the intranet.

Questions

Any idea why rerouting is not triggered?

Is this the correct way to do policy based routing for traffic generated by local processes?

I am using a custom build kernel 4.2-rc8. Is there any special kernel compilation configuration flag I need to set to enable rerouting (I already have CONFIG_ADVANCED_ROUTING=y)?

Thanks
 
Old 11-10-2015, 12:31 AM   #2
fabioca
LQ Newbie
 
Registered: Sep 2015
Posts: 13

Original Poster
Rep: Reputation: Disabled
Ok, I will reply to myself. It is a mistake due to incorrect information. I think it is worth sharing, in case somebody else does the same mistake.

Based on
https://www.frozentux.net/iptables-t...html/c962.html
I was expecting rerouting to happen before the OUTPUT table of the filter chain, but adding logging also to other tables, I discovered rerouting actually happens after that.
MANGLE OUTPUT => NAT OUTPUT => FILTER OUTPUT => rerouting => MANGLE POSTROUTING

In fact I can see that rerouting happens correctly.

As for the reason for which I was not getting the ping back, there was a problem in the MASQUERADE rule, which was masquerading traffic originated from the intranet 192.168.1.0/24 (condition in bold), but not traffic originated from my wan address. Removing the part in bold, everything works ok.
Code:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j MASQUERADE
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
CentOS Firewall (rpm package lacks NAT/MANGLE table.) andalogokct Linux - Software 1 08-11-2015 06:36 PM
[SOLVED] iproute2 in Debian lenny adds routes to the main table instead of desired table donalbane Linux - Networking 3 03-28-2012 11:01 AM
Multi-WAN Problem with IPROUTE2/IPTABLES - Packets disappear between MANGLE & NAT alpharomeo31 Linux - Kernel 2 10-18-2011 09:12 AM
Meanings of IPTABLES mangle table mosharaf_linux Linux - Server 1 02-14-2011 06:53 AM
Mangle Table santhosh23 Linux - General 2 06-24-2007 08:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration