Hi I have a problem with firewall iptables and routing rules (iproute2). I describe my case:
Debian 4 --> Upgraded to Debian 6.0.5. In debian 4 all run ok. In Debian 6.0.5... I have three routing tables tb1, tb2 and tb3. These tables havea default route through a adsl1, adsl2 and adsl3respectively. The routing tables and routes are working properly. The firewall (machine) worksas a router for five different networks with 5 different eth interfaces. eth1 (net1), eth2(net2), eth3(adsl3), eth4 ( to adsl1 and adsl2) I need the traffic passing through the firewall (forward) from the red1 go through the adsl1 if the destination port is 22 or 500 for example but if the destination port is another go to adsl3. I need the traffic passing through the firewall (forward) from the red2 go through the adsl2 if the destination port is 22 or 500 for example but if the destination port is another go to adsl3. I have created some rules in the firewall within the mangle table PREROUTING chain to mark packets before the routing decision. #network2 marked with 2 iptables -t mangle -A PREROUTING -s 10.29.0.0/255.255.255.0 -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x2 iptables -t mangle -A PREROUTING -s 10.29.0.0/255.255.255.0 -p udp -m udp -m multiport --dports 500,4500 -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x2 iptables -t mangle -A OUTPUT -s 10.29.0.0/255.255.255.0 -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x2 iptables -t mangle -A OUTPUT -s 10.29.0.0/255.255.255.0 -p udp -m udp -m multiport --dports 500,4500 -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x2 #all packets (network1 included) marked with 1 iptables -t mangle -A PREROUTING -p tcp -m tcp -m multiport --dports 22,22022,16022,1723 -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING -p udp -m udp -m multiport --dports 500,4500 -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT -p tcp -m tcp -m multiport --dports 22,22022,16022,1723 -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT -p udp -m udp -m multiport --dports 500,4500 -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x1 And I have created some rules in table nat iptables -t nat -A POSTROUTING -o eth4 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE Ok. I have some ip rules too. # ip rule 0: from all lookup local 30010: from all fwmark 0x2 lookup adsl2 30020: from all fwmark 0x1 lookup adsl1 30030: from 10.0.2.0/24 lookup adsl3 30040: from 10.0.1.0/24 lookup adsl3 30060: from all lookup main 30070: from all lookup default Ok. Does anyone know what I can be doing wrong? Did you change the way marked on the iptables firewall? I log the packets in the system log that are marked with 1 or 2 and the logs show that there is traffic being marked with 1 and 2 but after that traffic is not sent to the correct routing tables. ¿Is a bug in ip rule or something? The log Sep 5 15:24:55 firewall kernel: [1883719.204551] fwmark 1: IN=eth1 OUT= MAC=00:18:8b:f9:f3:34:00:24:8c:de:c8:fb:08:00 SRC=10.0.1.153 DST=192.168.100.139 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=1436 DF PROTO=TCP SPT=57856 DPT=22 WINDOW=16323 RES=0x00 ACK FIN URGP=0 MARK=0x1 Sep 5 15:24:55 firewall kernel: [1883719.205085] fwmark 1: IN=eth1 OUT= MAC=00:18:8b:f9:f3:34:00:24:8c:de:c8:fb:08:00 SRC=10.0.1.153 DST=192.168.100.139 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=1437 DF PROTO=TCP SPT=57856 DPT=22 WINDOW=16323 RES=0x00 ACK URGP=0 MARK=0x1 Sep 5 15:25:20 firewall kernel: [1883744.276724] fwmark 2: IN=eth2 OUT= MAC=00:0d:88:c5:ba:33:20:cf:30:d3:a6:d5:08:00 SRC=10.0.2.226 DST=10.0.2.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=8254 DF PROTO=TCP SPT=52845 DPT=22 WINDOW=2641 RES=0x00 ACK URGP=0 MARK=0x2 Sep 5 15:25:20 firewall kernel: [1883744.280404] fwmark 2: IN=eth2 OUT= MAC=00:0d:88:c5:ba:33:20:cf:30:d3:a6:d5:08:00 SRC=10.0.2.226 DST=10.0.2.1 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=8255 DF PROTO=TCP SPT=52845 DPT=22 WINDOW=2641 RES=0x00 ACK PSH URGP=0 MARK=0x2 Please, I need help with this issue. All my work network is in a degraded state and I dont know how to solve this issue. Thanks in advance (Sorry for my english) -- ----------------------------------------------------------------- Francisco J. Bejarano Responsable de Sistemas Dpt. Sistemas e Infraestructuras Open Knowledge Network S.L. [email protected] Tel. (+34) 902 534 004 Fax. (+34) 917 266 476 ----------------------------------------------------------------- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
