> what DOES happen when the destination is 192.168.1.0/24? Can you provide a
> traceroute?
>
> I don't know what "table 3" means, but I'm pretty sure that if it doesn't
> show up in "ip route list" it's not going to be effective.
>
> >From the ip(8) man page:
>
> ...
> Route tables: Linux-2.x can pack routes into several routing tables
> identified by a number in the range from 1 to 255 or by name from the
> file /etc/iproute2/rt_tables main table (ID 254) and the kernel only
> uses this table when calculating routes.
> ...
>
> On my system, ip route list gives the same output as ip route list table
> 254. I would expect the same result on your system.
>
> -wes
Dodo is a Fedora Core 1 network root system:
Linux dodo.w2.robinson-west.pri 2.4.22-1.2115.nptlcustom2 #1 Sun Jun 29
20:59:36 PDT 2008 i686 i686 i386 GNU/Linux
[r...@dodo firewall]# ping -c3 192.168.1.1
connect: Network is unreachable
[r...@dodo firewall]#
[r...@dodo firewall]# ip rule show
0: from all lookup local
32764: from all fwmark 0x3 lookup 3
32765: from all fwmark 0x2 lookup 2
32766: from all lookup main
32767: from all lookup 253
[r...@dodo firewall]#
[r...@dodo firewall]# ip route show table local
local 192.168.3.1 dev eth0 proto kernel scope host src 192.168.3.1
local 192.168.3.17 dev eth0 proto kernel scope host src 192.168.3.17
broadcast 192.168.3.0 dev eth0 proto kernel scope link src
192.168.3.1
broadcast 192.168.3.16 dev eth0 proto kernel scope link src
192.168.3.17
broadcast 192.168.0.255 dev eth1 proto kernel scope link src
192.168.0.2
broadcast 127.255.255.255 dev lo proto kernel scope link src
127.0.0.1
local 192.168.5.2 dev eth1 proto kernel scope host src 192.168.5.2
local 192.168.5.3 dev eth1 proto kernel scope host src 192.168.5.2
local 192.168.5.4 dev eth1 proto kernel scope host src 192.168.5.2
broadcast 192.168.4.15 dev eth2 proto kernel scope link src
192.168.4.1
broadcast 192.168.4.0 dev eth2 proto kernel scope link src
192.168.4.1
broadcast 192.168.0.0 dev eth1 proto kernel scope link src
192.168.0.2
local 192.168.4.1 dev eth2 proto kernel scope host src 192.168.4.1
local 192.168.0.2 dev eth1 proto kernel scope host src 192.168.0.2
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
broadcast 192.168.3.15 dev eth0 proto kernel scope link src
192.168.3.1
broadcast 192.168.3.31 dev eth0 proto kernel scope link src
192.168.3.17
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 192.168.5.15 dev eth1 proto kernel scope link src
192.168.5.2
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
[r...@dodo firewall]#
[r...@dodo firewall]# ip route show table 3
192.168.1.0/24 via 192.168.3.2 dev eth0
[r...@dodo firewall]#
[r...@dodo firewall]# ip route show table 2
192.168.1.0/24 via 192.168.3.18 dev eth0
[r...@dodo firewall]#
[r...@dodo firewall]# ip route show table main
192.168.4.16/28 via 192.168.4.2 dev eth2
192.168.4.0/28 dev eth2 scope link
192.168.5.0/28 dev eth1 proto kernel scope link src 192.168.5.2
192.168.3.0/28 dev eth0 proto kernel scope link src 192.168.3.1
192.168.4.48/28 via 192.168.4.2 dev eth2
192.168.3.16/28 dev eth0 scope link
192.168.4.32/28 via 192.168.4.2 dev eth2
192.168.0.0/24 dev eth1 scope link
127.0.0.0/8 dev lo scope link
[r...@dodo firewall]#
[r...@dodo firewall]# ip route show table 253
[r...@dodo firewall]#
[r...@dodo firewall]# iptables -nvL -t mangle
Chain PREROUTING (policy ACCEPT 576K packets, 127M bytes)
pkts bytes target prot opt in out source
destination
879 66553 MARK all -- * * 0.0.0.0/0
0.0.0.0/0 MAC 00:02:E3:02:C8:8F MARK set 0x3
144 10713 MARK all -- * * 0.0.0.0/0
0.0.0.0/0 MAC 00:40:F4:2D:AF:5C MARK set 0x2
95 29259 MARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK set 0x3
Chain INPUT (policy ACCEPT 576K packets, 127M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 178 packets, 52674 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 552K packets, 151M bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 552K packets, 151M bytes)
pkts bytes target prot opt in out source
destination
[r...@dodo firewall]#
If I understand things correctly, when fwmark 0x3 is seen
routing table 3 should be used and when fwmark 0x2 is seen
routing table 2 should be used.
If I do:
ip rule add table 2
or
ip rule add table 3
then this table will get used and ping works.
I can't hard wire the route, sometimes packets will come from
web and sometimes they will come from xerxes. Which
is why I have mac_route added to the firewall:
[r...@dodo firewall]# cat mac_route
iptables -t mangle -A PREROUTING -m mac --mac-source 00:02:E3:02:C8:8F \
-j MARK --set-mark 3
iptables -t mangle -A PREROUTING -m mac --mac-source 00:40:F4:2D:AF:5C \
-j MARK --set-mark 2
[r...@dodo firewall]#
The following is route_web.bash:
#!/bin/bash
#
PATH=/sbin:/usr/bin
# Get line count PREROUTING -t mangle...
line_count=`iptables -nvL PREROUTING -t mangle|wc -l|tr -d ' '`
let line_count-=2
if [ "$line_count" == "2" ]
then
iptables -t mangle -I PREROUTING 3 -j MARK --set-mark 2
else
iptables -t mangle -R PREROUTING 3 -j MARK --set-mark 2
fi
The following is route_xerxes.bash:
#!/bin/bash
#
PATH=/sbin:/usr/bin
# Get line count PREROUTING -t mangle...
line_count=`iptables -nvL PREROUTING -t mangle|wc -l|tr -d ' '`
let line_count-=2
if [ "$line_count" == "2" ]
then
iptables -t mangle -I PREROUTING 3 -j MARK --set-mark 3
else
iptables -t mangle -R PREROUTING 3 -j MARK --set-mark 3
fi
The following is the portion of the firewall that manipulates the
routing tables:
...
export lan_net="192.168.1.0/24"
...
export w1nweb="192.168.3.18"
export w1nxer="192.168.3.2"
ip route flush table 2
ip route flush table 3
ip route add $lan_net dev eth0 via $w1nweb table 2
ip route add $lan_net dev eth0 via $w1nxer table 3
ip rule add fwmark 2 table 2
ip rule add fwmark 3 table 3
As far as traceroute, Network is unreachable doesn't seem traceable.
Another routing table can get used, the problem is that the MARK
applied to packets in the PREROUTING chain of the mangle table
never seems to trigger use of the appropriate table. I'm beginning
to wonder if there is some sysctl option breaking this or something
similar.
_______________________________________________
PLUG mailing list
[email protected]
http://lists.pdxlinux.org/mailman/listinfo/plug
