LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
 
Search this Thread
Old 12-28-2012, 03:07 PM   #1
LVsFINEST
Member
 
Registered: Aug 2006
Posts: 95

Rep: Reputation: 21
Policy based routing, IPTables mangle and RST packets


Problem:
RST packets do not abide by my IPTables mangle rule, thus do not get routed properly (due to policy based routing).

Details:
The policy based routing is done by source address, specifically if packets originate from 10.1.49.0/24 range, use the "guest" routing table. All other traffic uses the default routing table.

There is also a transparent Squid proxy running on this Linux router. By design, Squid intercepts the client requests to port 80 and establishes the connections directly to web servers itself. Therefore, traffic destined to port 80 essentially originates from the linux router, not 10.1.49.0/24. This means that all port 80 traffic used the default route, regardless of where the actual orignal request came from (ie 10.1.49.0/24 range).

Squid runs as nobody user, so marking said traffic is fairly simple and I fixed the issue with:

Code:
iptables -t mangle -A OUTPUT -m owner --uid-owner nobody -p tcp --dport 80 -j MARK --set-mark 1
along with the appropriate IP rule:

Code:
[user@box ~]# ip rule
0:      from all lookup local
32764:  from all fwmark 0x1 lookup guest
32765:  from 10.1.49.0/24 lookup guest
32766:  from all lookup main
32767:  from all lookup default

Everything works as expected except one issue: Everytime the linux router initiates a RST for old/stale connections, the RSTs route via the default routing table (along with the wrong IP address too, from the wrong interface).

The RST packets are obviously tcp, destined to port 80, and one would think they're owned by user "nobody" since the connections belong to Squid. So any idea why RST packets are not abiding by my mangle rule above? Or any other ideas on how to troubleshoot and/or resolve this issue?
 
Old 12-29-2012, 04:03 AM   #2
bijo505
Member
 
Registered: Nov 2012
Location: Bangalore
Distribution: Fedora & Ubuntu
Posts: 77

Rep: Reputation: 18
Hi,

Just enable logging in the chains as the first rule and check, it will help you to find the route cause.

Eg:- iptables -t mangle -I OUTPUT 1 -j LOG --log-level 4

--
Thanks,
Bijo
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Policy Routing - packets going out wrong device BRonkBMI Linux - Networking 1 09-26-2012 01:43 PM
policy routing packets sourced from local host. fs142 Linux - Networking 1 05-05-2012 01:59 PM
Multi-WAN Problem with IPROUTE2/IPTABLES - Packets disappear between MANGLE & NAT alpharomeo31 Linux - Kernel 2 10-18-2011 09:12 AM
Policy based routing, leaking packets tetra Linux - Networking 0 04-22-2009 02:15 AM
help with policy based routing GaijinPunch Linux - Networking 4 06-19-2005 06:35 PM


All times are GMT -5. The time now is 01:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration