Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
When is the routing decision taken in relation to iptables chains?
Specifically, when there has been a request from the outside world that was dnated by the firewall, is the de-dnat done before the routing decision is made? (of course, this means I have more than one internet connection).
But I'd like to get as much information about the relation between iptables and the routing decision as possible.
In table 3.2, I can see that the routing decision for packets going out a this host is made BEFORE the output chain is even touched.
That means I can't force response traffic to traffic that was REDIRECTED (to another port of this same host) to go back by one given interface.. or can I?
Let me explain myself a little better:
I'm trying this crazy thing to handle three different internet connections. Two of them are present in the same subnet and don't work in a multipath default route very well... however, One of them with the third works OK. (If you know of a multipath guru available to help me out with this, I'd appreciate it as well).
So I will set this two interfaces to handle normal traffic in a multipath route (that already works) and leave one single network interface for other things... like VPN. However, I want to be able to provide the VPN service through the other two links as well.
To be able to recognize where the VPN traffic came from, in order to respond through that same interface, I thought of using three different ports, one on each interface, that would be REDIRECTED to the openvpn service port. Then, when the traffic is going out I would mark the outgoing traffic according to the source port (remember it's a response by now) and would route the traffic according to this mark. BUT if the traffic is already chosen what route it will follow even before hitting the OUTPUT chain, It's not gonna work... right? (and if you have a better way to do this.. I'm all ears).
Right now I'm just testing if I can mark the traffic going out.
I'm REDIRECTing UDP port 2000 of interface eth2 to 1194 and port 3000 of eth3 to 1194 as well. Then.... on the mangle of OUTPUT and POSTROUTING, I added rules to mark traffic going from port 2000 and 3000] so that I could see if marking would work. I connected to the VPN using ports 2000 and 3000 of the two interfaces.... BUT
Code:
# iptables -t mangle -L POSTROUTING -nv; iptables -t mangle -L OUTPUT -nv
Chain POSTROUTING (policy ACCEPT 1800 packets, 321K bytes)
pkts bytes target prot opt in out source destination
0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:2000 MARK set 0x14
0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:3000 MARK set 0x1e
Chain OUTPUT (policy ACCEPT 1800 packets, 321K bytes)
pkts bytes target prot opt in out source destination
0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:2000 MARK set 0x14
0 0 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:3000 MARK set 0x1e
well, well... I didn't expect to write back so soon.
I have learned that when the traffic is going out from this host, there are actually TWO routing decisions. One prior to the packet traversing the OUTPUT chains.... and another after OUTPUT if the packet was changed by OUTPUT. That means that packets can be marked in OUTPUT and routed accordingly.
So I guess I will use a tunnel for each port, and then mark traffic going from this tunnels to the remote hosts. That would do.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.