Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
routing local trafic on iptables mark
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
totatis
n00b
n00b


Joined: 14 Jan 2006
Posts: 9

PostPosted: Tue Feb 15, 2011 10:37 pm    Post subject: routing local trafic on iptables mark Reply with quote

Hi all,

here is my problem : I have 2 internet outgoing connections. I would like to route my trafic on one or another based on marks put in iptables.

For trafic coming from my internal network (to be forwarded), it is very easy : I mark the connection in the PREROUTING chain, and an iproute2 rule then choose the right routing table based on this mark.

Now, for trafic coming from the box itself, I can't do the same thing. Since trafic generated on the local box goes through routing before touching iptables (in the OUTPUT chain), it's too late. I though about the following setup :
1) trafic goes out to OUTPUT chain then the POSTROUTING chain, in which I DNAT the connection to loopback
2) trafic enters back iptables via the loopback, in the PREROUTING chain. Trouble is, while it goes to mangle PREROUTING, it skips the nat PREROUTING (as iptables already knows the connection), and I can't DNAT again the connection to rewrite the real destination (in this example, the destination is a single known host, so it would have been a single constant DNAT rule).

As my knowledge of iptables is limited, I can't figure a way to mark locally generated trafic BEFORE routing so that I can route based on said mark.

Does anybody know how I could do this ?

Thanks in advance.
Back to top
View user's profile Send private message
gerdesj
l33t
l33t


Joined: 29 Sep 2005
Posts: 621
Location: Yeovil, Somerset, UK

PostPosted: Tue Feb 15, 2011 11:34 pm    Post subject: Re: routing local trafic on iptables mark Reply with quote

Multi link routing is proper hard!

Have a look at this: pfSense - http://www.pfsense.org/ to see how its done. You could run one up in KVM/QEMU.

Once you sort out the actual routing, you will also need to consider how to deal with a failed link. This needs very careful consideration. The correct way seems to be to run a daemon or a cron job to ping a known good target via each external link and then take action if it fails. You'll need static routes to the targets to ensure the right interface is used.

Have a look at http://apinger.jajcus.net/trac/ - Alarm pinger for a handy pinging daemon. Can't see it in Portage.

I've tried doing this a few years back and got stuck. However I tried it without using fwmark and instead simply used policy based routing. After many months of frustration, I gave up and use pfSense instead!

I found a large amount of pages via Google when I last tried with various recipes on them that never quite seemed to work. Perhaps its time I tried again, you never know there might be someone out there that got it running and documented it.

Sorry I have not actually answered your question.

Best of luck,
Jon
Back to top
View user's profile Send private message
totatis
n00b
n00b


Joined: 14 Jan 2006
Posts: 9

PostPosted: Fri Feb 18, 2011 11:43 am    Post subject: Reply with quote

Thanks for the tips.

I found a workaround to my problem, which is a bit of a klugge but works.

Basically, for locally generated trafic, I send it to fictionnal ips (for example 10.0.0.1 and 10.0.0.2 for separate routing of locally generated trafic towards the same host). I then make 2 iproute2 rules :

/sbin/ip route add 10.0.0.1/32 dev $TABLE1_IF table TABLE1
/sbin/ip route add 10.0.0.2/32 dev $TABLE2_IF table TABLE2

And i DNAT this trafic in POSTROUTING :

$IPTABLES -t nat -A OUTPUT -d 10.0.0.1 -j DNAT --to $REAL_DEST_IP
$IPTABLES -t nat -A OUTPUT -d 10.0.0.2 -j DNAT --to $REAL_DEST_IP

This means that I have to put 2 "separate" destinations in the application, but it then works. Should I want to route all towards one table, I just change the route of the fictionnal ip.


I haven't yet wandered into the dead link realm. What you describe (pinging via each interface) reminds me of the way IPMP works on Solaris. This is indeed a good way of doing it, and I'll try to implement this next. I'll look into the daemon you proposed.

Thanks for your reply.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum