Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have found a few articles and tutorials which seem to do what I need but can't seem to get them to work.
My Setup :
I have a router which makes two ppp connections. PPP0 is my default route and is an uncapped ADSL. PPP1 is a Local Only (South Africa) account which has DNS resolving to its IP. PPP1 allows certain connections in. I want all packets coming in on PPP1 to be marked so that after they have been routed through our local servers they can go back out over PPP1.
Both connections use dynamically assigned ip addresses. I want to use PPP0 to make a connection to one of our stores, but when our stores connect to us they will be using PPP1. All packets from these incoming connections will need to be routed back over PPP1.
Hope that makes sense. If anything is unclear please ask.
That's quite a set up! Have you looked at the LARTC site (Linux Advanced Routing and Traffic Control) It has something similar there that you could probably adapt.
I have looked at these examples and similar ones. But they all seem to be doing Load Balancing and not quite what I am doing (trying to do).
I need to mark all incoming packets. These packets are then redirected to a local machine. When they come back to the router they need to go back out on the original incoming interface (and not the default route). Not sure if I am missing something but I can't seem to get it to work.
I will experiment a little more and maybe post a script later for people to look at. Perhaps this will help.
It's definitely there. You will need a combination of ip rule tables, iptables to mark the packets, and conntrack. The load balancing part swaps the default route periodically with an optional weighting scheme. You don't have to incorporate that if you don't want it.
My ASCII art sucks but here goes. This is a diagram of the network:
Code:
mail----+
| +-----------------+
| | |
| +------------ppp0------+ I +--------store1
| | | N |
| +--------------+ | T |
| | | | E |
user1---+-----------+ router (vpn) | | R |
| | | | N |
| +--------------+ | E |
| | | T |
| +------------ppp1------+ +--------store2
| | |
| +-----------------+
user2---+
I want user1 and user2 to be able to make a connection to store1 and store2 using ppp0. In other words if the connection is initiated from the local network it should be routed over the default gateway (ppp0). This is easy to do.
The problem comes in when store1 or store2 make a connection to the mail server. They connect via ppp1 (their is a dns resolvable name on this connection which I can't have on ppp0). The packets from this connection are then redirected to mail. When mail routes back to the store, the default gateway is used and the connection is broken. The solution to this is add a route to allow traffic to store1 and store2 to go via ppp1, but then all connections from inside the local network are also affected.
So I am thinking I need to mark all new incoming connections on ppp1 so that they can be routed back to ppp1 later. What I have tried so far is this :
Code:
#!/bin/sh
/usr/bin/echo 1 > /proc/sys/net/ipv4/ip_dynaddr
/usr/bin/echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
/usr/sbin/iptables-restore firewall.rules
/sbin/ip rule del from all fwmark 1 2>/dev/null
/sbin/ip rule del from all fwmark 2 2>/dev/null
/sbin/ip rule add fwmark 1 table Uncapped
/sbin/ip rule add fwmark 2 table LocalOnly
/sbin/ip route flush cache
# THESE TWO LINES WILL BE SET IN IP_UP
#/sbin/ip route add table Uncapped default dev ppp0
#/sbin/ip route add table LocalOnly default dev ppp1
The file firewall.rules referred above includes the following in it's mangle section :
Code:
*mangle
:PREROUTING ACCEPT [81132:42738999]
:INPUT ACCEPT [16988:5371568]
:FORWARD ACCEPT [64012:37349459]
:OUTPUT ACCEPT [12841:2317402]
:POSTROUTING ACCEPT [76837:39665453]
-N Uncapped
-A Uncapped -j MARK --set-mark 1
-A Uncapped -j CONNMARK --save-mark
-N LocalOnly
-A LocalOnly -j MARK --set-mark 2
-A LocalOnly -j CONNMARK --save-mark
-A PREROUTING -i eth1 -p tcp -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
-A PREROUTING -i ppp1 -p tcp -m state --state NEW -m statistic --mode nth --every 2 --packet 0 -j LocalOnly
COMMIT
What am I doing wrong? How does all of this affect the main routing table?
If the stores trying to connect to the mail server and from there back to them over ppp1 why not just have all the packets coming from the mail server go through ppp1?
If the stores trying to connect to the mail server and from there back to them over ppp1 why not just have all the packets coming from the mail server go through ppp1?
I must truly be missing something simple here. Or I really don't understand something. I have simplified the solution as above. Thanks it is a very good suggestion.
Here are my scripts to hopefully achieve the above :
mangle has been stripped to the following:
Code:
*mangle
:PREROUTING ACCEPT [81132:42738999]
:INPUT ACCEPT [16988:5371568]
:FORWARD ACCEPT [64012:37349459]
:OUTPUT ACCEPT [12841:2317402]
:POSTROUTING ACCEPT [76837:39665453]
-N LocalOnly
-A LocalOnly -j MARK --set-mark 2
-A LocalOnly -j CONNMARK --save-mark
-A PREROUTING -i eth1 -s 172.16.48.200 -p tcp -m state --state ESTABLISHED,RELATED -j LocalOnly
COMMIT
Store1 (196.210.xxx.xxx) and Store2 (196.215.xxx.xxx) are both able to make their connections as expected while the main routing table has their routes set to ppp1. To test I thought I would activate the mangling in the firewall and remove Store2's (route del -net 196.215.0.0/16) main routing entry. When I do this Store1 remains connected but Store2 loses it's connection.
What am I missing? If my hair was longer I would be pulling it out. :-)
You've got no pref numbers in your ip rule statements. Not sure that's the problem though. What's the output of :
ip rule
ip route show table Uncapped/Localonly
What exactly is the pref number? Is it not 1 for Uncapped and 2 for LocalOnly?
The output of ip rule :
Code:
0: from all lookup local
32764: from all fwmark 0x2 lookup LocalOnly
32765: from all fwmark 0x1 lookup Uncapped
32766: from all lookup main
32767: from all lookup default
ip rule add from mail.server.i.p to sto.re.1.ip table LocalOnly
ip rule add from mail.server.i.p to sto.re.2.ip table LocalOnly
This would prevent you from marking. If this does not suite I guess we best start from scratch?
Thanks zhjim.
I have no problem with not needing to mark packets. In fact the simpler the solution the better. :-)
I have reset my firewall to remove all marking etc. I have flushed all rules relating to marking. This is what ip rule puts out now :
Code:
0: from all lookup local
32763: from 172.16.48.200 lookup LocalOnly
32766: from all lookup main
32767: from all lookup default
My main routing table still contains routes which send packets destined for 196.210.0.0 and 196.215.0.0 to ppp1. I assume these should be removed. If I do this routing to those ip addresses goes through the default gateway. :-(
What should be in ip route show table LocalOnly? This is what it currently has in it :
Code:
default dev ppp1 scope link
Should there be anything else? If I can have a purely routing solution (i.e. no change to the firewall) all the better.
Stabbing in the dark now.... do you have specific routes defined in the main table? If you have, wouldn't these take priority over the default routes?
Thanks bakdong,
Yes. The main routing table routes all packets destined for 196.210.0.0 and 196.215.0.0 to ppp1. The end goal is to have these removed so that connections initiated from our internal network (i.e. user1 and user2) are routed via ppp0.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Mark all incoming packets on connection
