RE: backroute problem

RE: backroute problem

[George Vieira]

You have to use iproute2 to route by source IP and not destination (default gateway).

There is an iptables patch in p-o-m which does some funky iproute stuff too but not sure the name.. have a look

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

-----Original Message-----
From: Wolfgang Pichler [mailto:madmin@dialog-telekom.at]
Sent: Thursday, July 24, 2003 6:03 AM
To: netfilter@lists.netfilter.org
Subject: backroute problem


hi all,

we have got new ip addresses - the old one's still exists so that i can
migrate them to the new ones.

the old ip's are directly assigned to the web/mail server (i know that
this isn't good - but i havn't had a fireall at this time) - now i have
a seperate firewall which has the new ip's assigned to it.

Now i'd like to change the dns entries so that the traffic goes over the
new ip's (a 4 MBit line ;-) ) - the problem i have is:

when a packet on the new ip comes then it gets prerouted by the firewall
to the webserver - the webserver gets the packet with the original
source address - now to webserver wants to answer to the packet - but
becuase of the old ip's the webserver have a default route with the old
ip and try's to route the packet over the old gateway - and not back to
the firewall... You know - that can't work.

I am now searching for a solution for this problem. Can netfilter help
me with this problem - or do i have to use iproute (i havn't ever done
something with iproute) help me ?

Can i mark the packet's so the the webserver can send them back in the
right direction ?

mfG
Wolfi

RE: backroute problem

[Wolfgang Pichler]

i am not an expert - but how can i use iproute2 routing by source ip ?
If i understand the whole thing right then the webserver doesn't get the
ip of the firewall as source ip - it gets the original ip - so - how can
iproute2 then know which packet was comming from the firewall and which
packet was comming from the old gateway.

But another thing come to mind: Wouldn't it be possible to Mark the
packets on the firewall - and then tell iproute2 to route marked packets
to the firewall back ?

mfG
Wolfi

Am Mit, 2003-07-23 um 21.58 schrieb George Vieira:
> You have to use iproute2 to route by source IP and not destination (default gateway).
> 
> There is an iptables patch in p-o-m which does some funky iproute stuff too but not sure the name.. have a look
> 
> Thanks,
> ____________________________________________
> George Vieira
> Systems Manager
> georgev@citadelcomputer.com.au
> 
> Citadel Computer Systems Pty Ltd
> http://www.citadelcomputer.com.au
> 
> -----Original Message-----
> From: Wolfgang Pichler [mailto:madmin@dialog-telekom.at]
> Sent: Thursday, July 24, 2003 6:03 AM
> To: netfilter@lists.netfilter.org
> Subject: backroute problem
> 
> 
> hi all,
> 
> we have got new ip addresses - the old one's still exists so that i can
> migrate them to the new ones.
> 
> the old ip's are directly assigned to the web/mail server (i know that
> this isn't good - but i havn't had a fireall at this time) - now i have
> a seperate firewall which has the new ip's assigned to it.
> 
> Now i'd like to change the dns entries so that the traffic goes over the
> new ip's (a 4 MBit line ;-) ) - the problem i have is:
> 
> when a packet on the new ip comes then it gets prerouted by the firewall
> to the webserver - the webserver gets the packet with the original
> source address - now to webserver wants to answer to the packet - but
> becuase of the old ip's the webserver have a default route with the old
> ip and try's to route the packet over the old gateway - and not back to
> the firewall... You know - that can't work.
> 
> I am now searching for a solution for this problem. Can netfilter help
> me with this problem - or do i have to use iproute (i havn't ever done
> something with iproute) help me ?
> 
> Can i mark the packet's so the the webserver can send them back in the
> right direction ?
> 
> mfG
> Wolfi
> 
> 
> 
> 
> 
> 
> 
> 

RE: backroute problem

[Wolfgang Pichler]

i've no tryied it with the mark solution

i've done:
(firewall)
$IPTABLES -t mangle -A PREROUTING -p tcp --dport smtp -d $MAILSERVER -j
MARK --set-mark 1
$IPTABLES -t nat -A PREROUTING -p tcp --dport smtp -d $MAILSERVER -j
DNAT --to-destination $LAN_MAILSERVER:25
(Marked the packet with 1 and Prerouted it to the internal mailserver)

(mailserver)
in /etc/iproute2/rt_tables an entrie with "201 newip" (i have no idea
for what 201 stands and i can't find an answer to this in the linux 2.4
advanced Routing howto - can someone point me to the right palce ?)

then
ip rule add fwmark 1 table newip
and
ip route add default via firewall dev eth0 table newip

but it still doesn't work, why ?

mfG
Wolfi


Am Don, 2003-07-24 um 08.24 schrieb Wolfgang Pichler:
> i am not an expert - but how can i use iproute2 routing by source ip ?
> If i understand the whole thing right then the webserver doesn't get the
> ip of the firewall as source ip - it gets the original ip - so - how can
> iproute2 then know which packet was comming from the firewall and which
> packet was comming from the old gateway.
> 
> But another thing come to mind: Wouldn't it be possible to Mark the
> packets on the firewall - and then tell iproute2 to route marked packets
> to the firewall back ?
> 
> mfG
> Wolfi
> 
> Am Mit, 2003-07-23 um 21.58 schrieb George Vieira:
> > You have to use iproute2 to route by source IP and not destination (default gateway).
> > 
> > There is an iptables patch in p-o-m which does some funky iproute stuff too but not sure the name.. have a look
> > 
> > Thanks,
> > ____________________________________________
> > George Vieira
> > Systems Manager
> > georgev@citadelcomputer.com.au
> > 
> > Citadel Computer Systems Pty Ltd
> > http://www.citadelcomputer.com.au
> > 
> > -----Original Message-----
> > From: Wolfgang Pichler [mailto:madmin@dialog-telekom.at]
> > Sent: Thursday, July 24, 2003 6:03 AM
> > To: netfilter@lists.netfilter.org
> > Subject: backroute problem
> > 
> > 
> > hi all,
> > 
> > we have got new ip addresses - the old one's still exists so that i can
> > migrate them to the new ones.
> > 
> > the old ip's are directly assigned to the web/mail server (i know that
> > this isn't good - but i havn't had a fireall at this time) - now i have
> > a seperate firewall which has the new ip's assigned to it.
> > 
> > Now i'd like to change the dns entries so that the traffic goes over the
> > new ip's (a 4 MBit line ;-) ) - the problem i have is:
> > 
> > when a packet on the new ip comes then it gets prerouted by the firewall
> > to the webserver - the webserver gets the packet with the original
> > source address - now to webserver wants to answer to the packet - but
> > becuase of the old ip's the webserver have a default route with the old
> > ip and try's to route the packet over the old gateway - and not back to
> > the firewall... You know - that can't work.
> > 
> > I am now searching for a solution for this problem. Can netfilter help
> > me with this problem - or do i have to use iproute (i havn't ever done
> > something with iproute) help me ?
> > 
> > Can i mark the packet's so the the webserver can send them back in the
> > right direction ?
> > 
> > mfG
> > Wolfi
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> 
> 
> 
> 
> 
> 

backroute problem

[Wolfgang Pichler]

hi all,

we have got new ip addresses - the old one's still exists so that i can
migrate them to the new ones.

the old ip's are directly assigned to the web/mail server (i know that
this isn't good - but i havn't had a fireall at this time) - now i have
a seperate firewall which has the new ip's assigned to it.

Now i'd like to change the dns entries so that the traffic goes over the
new ip's (a 4 MBit line ;-) ) - the problem i have is:

when a packet on the new ip comes then it gets prerouted by the firewall
to the webserver - the webserver gets the packet with the original
source address - now to webserver wants to answer to the packet - but
becuase of the old ip's the webserver have a default route with the old
ip and try's to route the packet over the old gateway - and not back to
the firewall... You know - that can't work.

I am now searching for a solution for this problem. Can netfilter help
me with this problem - or do i have to use iproute (i havn't ever done
something with iproute) help me ?

Can i mark the packet's so the the webserver can send them back in the
right direction ?

mfG
Wolfi

backroute problem

[Wolfgang Pichler]

hi all,

we have got new ip addresses - the old one's still exists so that i can
migrate them to the new ones.

the old ip's are directly assigned to the web/mail server (i know that
this isn't good - but i havn't had a fireall at this time) - now i have
a seperate firewall which has the new ip's assigned to it.

Now i'd like to change the dns entries so that the traffic goes over the
new ip's (a 4 MBit line ;-) ) - the problem i have is:

when a packet on the new ip comes then it gets prerouted by the firewall
to the webserver - the webserver gets the packet with the original
source address - now to webserver wants to answer to the packet - but
becuase of the old ip's the webserver have a default route with the old
ip and try's to route the packet over the old gateway - and not back to
the firewall... You know - that can't work.

I am now searching for a solution for this problem. Can netfilter help
me with this problem - or do i have to use iproute (i havn't ever done
something with iproute) help me ?

Can i mark the packet's so the the webserver can send them back in the
right direction ?

mfG
Wolfi