Yup, prerouting -i ethlan m-a scapat de
freezuit :) dar din pacate tot nu
functioneaza. Mai jos este scriptul la
care am ajuns cu ajutorul lui Mircea
mainly:
<inceput script>
./myflush
./politici2
#myflush goleste toate chainurile iar
politici2 seteaza toate politicile pe
accept
#am incercat sa loghez `drumul`
pachetului icmp
ipextern1="x.x.x.x";
ipextern2="y.y.y.y";
ethisp1="eth1";
ethisp2="eth3";
ethloc0="eth2";
match=" -p icmp ";
echo "1"> /proc/sys/net/ipv4/ip_forward
route del default
ip route add to default equalize nexthop
dev $ethisp1 via $ipextern1 weight 4
nexthop dev $ethisp2 via $ipextern2
weight 1
ip rule add fwmark 1 lookup 1
ip rule add fwmark 2 lookup 2
ip route add table 1 to default dev
$ethisp1
ip route add table 2 to default dev
$ethisp2
iptables -A PREROUTING -t mangle
$match -j LOG --log-prefix
"\n========PRER-mangle"
#iptables -A PREROUTING -t mangle -i
$ethloc0 -m state --state NEW -j RETURN
iptables -A PREROUTING -t mangle -i
$ethloc0 -j CONNMARK --restore-mark
iptables -t mangle -I POSTROUTING
$match -j LOG --log-prefix
"\nPOSTR-mangle"
iptables -A POSTROUTING -t mangle -j
MARK --set-mark 1 -m state --state
NEW -o $ethisp1
iptables -A POSTROUTING -t mangle -j
MARK --set-mark 2 -m state --state
NEW -o $ethisp2
iptables -A POSTROUTING -t mangle -j
CONNMARK --save-mark -m state --state
NEW
iptables -t nat -A POSTROUTING
match -j LOG --log-prefix "\nPOSTR-nat"
iptables -A POSTROUTING -t nat -m
mark --mark 1 -j SNAT --to-source
$ipextern1 -o $ethisp1
iptables -A POSTROUTING -t nat -m
mark --mark 2 -j SNAT --to-source
$ipextern2 -o $ethisp2
iptables -t mangle -I INPUT $match -j
LOG --log-prefix "INP-mangle"
iptables -t filter -I INPUT $match -j
LOG --log-prefix "INP-filter"
iptables -t filter -I OUTPUT $match -j
LOG --log-prefix "OUTP-filter"
iptables -t nat -I OUTPUT $match -j
LOG --log-prefix "OUTP-nat"
iptables -t mangle -I OUTPUT $match -j
LOG --log-prefix "OUTPUT-mangle"
iptables -t mangle -I FORWARD $match -j
LOG --log-prefix "FORW-mangle"
iptables -t filter -I FORWARD $match -j
LOG --log-prefix "FORW-filter"
<sfarsit script>
Rezultatul: destination host unreachable
si de pe statii si de pe server.
Din ce am reusit sa urmaresc cu ajutorul
logului din iptables lucrurile stau cam
asa:
In Prerouting-mangle
in=eth2 (interfata dinspre lan)
out=
s=10.10.10.111 (ipul clientului din
reteaua locala de unde dau ping inspre:
d=66.102.9.99 (google .. din statia
windows: ping 66.102.9.99 -t)
(aici are loc rutarea si nu stiu ?!? de
ce alege intotdeauna interfata eth3 desi
e setat weightul mai mare pe eth1)
In Forward-mangle,filter - se vede
rezultatul rutarii inspre eth3
in=eth2
out=eth3
s=10.10.10.111
d=66.102.9.99
In Postrouting-mangle
in=
out=eth3
s=10.10.10.111
d=66.102.9.99
(de aici pachetul `dispare` nu se
intoarce nimic inapoi .. nu stiu nici
macar de ce nu se vede si in
Postrouting-nat)
Alte info aditionale:
ip rule list
0: from all lookup local
32764: from all fwmark 0x2 lookup 2
32765: from all fwmark 0x1 lookup 1
32766: from all lookup main
32767: from all lookup default
ip route show table 1
ip route default dev eth1 scope link
ip route show table 2
default dev eth3 scope link
ip route
x.x.x.0/25 dev eth1 proto kernel scope
link src x.x.x.x
y.y.y.0/24 dev eth3 proto kernel scope
link src y.y.y.y
10.10.10.0/24 dev eth2 proto kernel
scope link src 10.10.10.1
169.254.0.0/16 dev eth3 scope link
default equalize
nexthop via x.x.x.x dev eth1
weight 2
nexthop via y.y.y.y dev eth3
weight 1
----- Original Message -----
From: "Mircea Croitor"
<[EMAIL PROTECTED]>
To: "Romanian Linux Users Group"
<[email protected]>
Sent: Sunday, March 26, 2006 10:57 AM
Subject: Re: [rlug] multihomed problem
cand ai facut scriptul respectiv, ai
luat in considerare mersul
pachetelor din reteaua interna spre
cei doi ISP, numai ca nu ai pus
interfetele in unele reguli
verifica peste tot interfata de
intrare sau iesire (dupa caz) conform
acestui sens
pentru sensul invers, in ce priveste
forwardingul spre reteaua interna
merge automat
la POSTROUTING nu poti sa pui -i,
doar -o, si nu mai are rost sa
verifici mark-ul
la -t mangle -A PREROUTING -j
CONNMARK --restore-mark, adaugi -i
$iflan
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
