LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-20-2005, 02:00 PM   #1
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
Question routing decision and iptables


When is the routing decision taken in relation to iptables chains?

Specifically, when there has been a request from the outside world that was dnated by the firewall, is the de-dnat done before the routing decision is made? (of course, this means I have more than one internet connection).

But I'd like to get as much information about the relation between iptables and the routing decision as possible.

Thanks!
 
Old 07-20-2005, 02:32 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
take a look at chapter 3.1 of this iptables tutorial:

http://www.faqs.org/docs/iptables/tr...goftables.html
 
Old 07-20-2005, 07:32 PM   #3
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092

Original Poster
Blog Entries: 1

Rep: Reputation: 90
In table 3.2, I can see that the routing decision for packets going out a this host is made BEFORE the output chain is even touched.

That means I can't force response traffic to traffic that was REDIRECTED (to another port of this same host) to go back by one given interface.. or can I?

Let me explain myself a little better:

I'm trying this crazy thing to handle three different internet connections. Two of them are present in the same subnet and don't work in a multipath default route very well... however, One of them with the third works OK. (If you know of a multipath guru available to help me out with this, I'd appreciate it as well).

So I will set this two interfaces to handle normal traffic in a multipath route (that already works) and leave one single network interface for other things... like VPN. However, I want to be able to provide the VPN service through the other two links as well.

To be able to recognize where the VPN traffic came from, in order to respond through that same interface, I thought of using three different ports, one on each interface, that would be REDIRECTED to the openvpn service port. Then, when the traffic is going out I would mark the outgoing traffic according to the source port (remember it's a response by now) and would route the traffic according to this mark. BUT if the traffic is already chosen what route it will follow even before hitting the OUTPUT chain, It's not gonna work... right? (and if you have a better way to do this.. I'm all ears).
 
Old 07-20-2005, 09:11 PM   #4
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092

Original Poster
Blog Entries: 1

Rep: Reputation: 90
Right now I'm just testing if I can mark the traffic going out.

I'm REDIRECTing UDP port 2000 of interface eth2 to 1194 and port 3000 of eth3 to 1194 as well. Then.... on the mangle of OUTPUT and POSTROUTING, I added rules to mark traffic going from port 2000 and 3000] so that I could see if marking would work. I connected to the VPN using ports 2000 and 3000 of the two interfaces.... BUT

Code:
# iptables -t mangle -L POSTROUTING -nv; iptables -t mangle -L OUTPUT -nv
Chain POSTROUTING (policy ACCEPT 1800 packets, 321K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:2000 MARK set 0x14
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:3000 MARK set 0x1e
Chain OUTPUT (policy ACCEPT 1800 packets, 321K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:2000 MARK set 0x14
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:3000 MARK set 0x1e
 
Old 07-20-2005, 09:27 PM   #5
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092

Original Poster
Blog Entries: 1

Rep: Reputation: 90
:angry:

OK.... it won't work.

But you know what, I don't give up that easily. Let's see what I can think of.
 
Old 07-21-2005, 10:19 AM   #6
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092

Original Poster
Blog Entries: 1

Rep: Reputation: 90
well, well... I didn't expect to write back so soon.

I have learned that when the traffic is going out from this host, there are actually TWO routing decisions. One prior to the packet traversing the OUTPUT chains.... and another after OUTPUT if the packet was changed by OUTPUT. That means that packets can be marked in OUTPUT and routed accordingly.

So I guess I will use a tunnel for each port, and then mark traffic going from this tunnels to the remote hosts. That would do.

I'll be posting my comments later once I try.
 
Old 07-21-2005, 10:21 AM   #7
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092

Original Poster
Blog Entries: 1

Rep: Reputation: 90
Oh... and thanks to the netfilter mail list for answering the question so kindly.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
routing by iptables ali_dd15 Linux - Networking 14 10-14-2005 05:38 AM
iptables routing CJ_Grobler Linux - Security 1 06-14-2005 02:13 AM
Routing with iptables logo Linux - Networking 4 11-01-2004 06:21 AM
iptables / routing hakcenter Linux - Networking 13 05-01-2003 04:16 AM
routing with iptables Han_Solo Linux - Security 0 10-28-2001 06:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration