Sorry there is an error. The ip address 10.29.0.0/255.255.255.0 is 10.0.2.0/255.255.255.0 in the message.
Regards El 05/09/12 15:38, Francisco J. Bejarano escribió: > Hi > > I have a problem with firewall iptables and routing rules (iproute2). I > describe my case: > > Debian 4 --> Upgraded to Debian 6.0.5. In debian 4 all run ok. In Debian > 6.0.5... > > I have three routing tables tb1, tb2 and tb3. These tables havea default > route through a adsl1, adsl2 and adsl3respectively. The routing tables > and routes are working properly. > > The firewall (machine) worksas a router for five different networks with > 5 different eth interfaces. eth1 (net1), eth2(net2), eth3(adsl3), eth4 ( > to adsl1 and adsl2) > > I need the traffic passing through the firewall (forward) from the red1 > go through the adsl1 if the destination port is 22 or 500 for example > but if the destination port is another go to adsl3. > > I need the traffic passing through the firewall (forward) from the red2 > go through the adsl2 if the destination port is 22 or 500 for example > but if the destination port is another go to adsl3. > > I have created some rules in the firewall within the mangle table > PREROUTING chain to mark packets before the routing decision. > > #network2 marked with 2 > > iptables -t mangle -A PREROUTING -s 10.29.0.0/255.255.255.0 -p tcp -m > tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j MARK > --set-mark 0x2 > iptables -t mangle -A PREROUTING -s 10.29.0.0/255.255.255.0 -p udp -m > udp -m multiport --dports 500,4500 -m state --state > NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x2 > iptables -t mangle -A OUTPUT -s 10.29.0.0/255.255.255.0 -p tcp -m tcp > --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x2 > iptables -t mangle -A OUTPUT -s 10.29.0.0/255.255.255.0 -p udp -m udp -m > multiport --dports 500,4500 -m state --state NEW,RELATED,ESTABLISHED -j > MARK --set-mark 0x2 > > #all packets (network1 included) marked with 1 > iptables -t mangle -A PREROUTING -p tcp -m tcp -m multiport --dports > 22,22022,16022,1723 -m state --state NEW,RELATED,ESTABLISHED -j MARK > --set-mark 0x1 > iptables -t mangle -A PREROUTING -p udp -m udp -m multiport --dports > 500,4500 -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x1 > iptables -t mangle -A OUTPUT -p tcp -m tcp -m multiport --dports > 22,22022,16022,1723 -m state --state NEW,RELATED,ESTABLISHED -j MARK > --set-mark 0x1 > iptables -t mangle -A OUTPUT -p udp -m udp -m multiport --dports > 500,4500 -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x1 > > And I have created some rules in table nat > > iptables -t nat -A POSTROUTING -o eth4 -j MASQUERADE > iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE > > Ok. I have some ip rules too. > > # ip rule > 0: from all lookup local > 30010: from all fwmark 0x2 lookup adsl2 > 30020: from all fwmark 0x1 lookup adsl1 > 30030: from 10.0.2.0/24 lookup adsl3 > 30040: from 10.0.1.0/24 lookup adsl3 > 30060: from all lookup main > 30070: from all lookup default > > Ok. Does anyone know what I can be doing wrong? Did you change the way > marked on the iptables firewall? > > I log the packets in the system log that are marked with 1 or 2 and the > logs show that there is traffic being marked with 1 and 2 but after that > traffic is not sent to the correct routing tables. ¿Is a bug in ip rule > or something? The log > > Sep 5 15:24:55 firewall kernel: [1883719.204551] fwmark 1: IN=eth1 OUT= > MAC=00:18:8b:f9:f3:34:00:24:8c:de:c8:fb:08:00 SRC=10.0.1.153 > DST=192.168.100.139 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=1436 DF > PROTO=TCP SPT=57856 DPT=22 WINDOW=16323 RES=0x00 ACK FIN URGP=0 MARK=0x1 > Sep 5 15:24:55 firewall kernel: [1883719.205085] fwmark 1: IN=eth1 OUT= > MAC=00:18:8b:f9:f3:34:00:24:8c:de:c8:fb:08:00 SRC=10.0.1.153 > DST=192.168.100.139 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=1437 DF > PROTO=TCP SPT=57856 DPT=22 WINDOW=16323 RES=0x00 ACK URGP=0 MARK=0x1 > Sep 5 15:25:20 firewall kernel: [1883744.276724] fwmark 2: IN=eth2 OUT= > MAC=00:0d:88:c5:ba:33:20:cf:30:d3:a6:d5:08:00 SRC=10.0.2.226 > DST=10.0.2.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=8254 DF PROTO=TCP > SPT=52845 DPT=22 WINDOW=2641 RES=0x00 ACK URGP=0 MARK=0x2 > Sep 5 15:25:20 firewall kernel: [1883744.280404] fwmark 2: IN=eth2 OUT= > MAC=00:0d:88:c5:ba:33:20:cf:30:d3:a6:d5:08:00 SRC=10.0.2.226 > DST=10.0.2.1 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=8255 DF PROTO=TCP > SPT=52845 DPT=22 WINDOW=2641 RES=0x00 ACK PSH URGP=0 MARK=0x2 > > Please, I need help with this issue. All my work network is in a > degraded state and I dont know how to solve this issue. > > Thanks in advance > (Sorry for my english) > -- ----------------------------------------------------------------- Francisco J. Bejarano Responsable de Sistemas Dpt. Sistemas e Infraestructuras Open Knowledge Network S.L. [email protected] Tel. (+34) 902 534 004 Fax. (+34) 917 266 476 ----------------------------------------------------------------- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
