RE: backroute problem

[Wolfgang Pichler <madmin@dialog-telekom.at>]

i've no tryied it with the mark solution

i've done:
(firewall)
$IPTABLES -t mangle -A PREROUTING -p tcp --dport smtp -d $MAILSERVER -j
MARK --set-mark 1
$IPTABLES -t nat -A PREROUTING -p tcp --dport smtp -d $MAILSERVER -j
DNAT --to-destination $LAN_MAILSERVER:25
(Marked the packet with 1 and Prerouted it to the internal mailserver)

(mailserver)
in /etc/iproute2/rt_tables an entrie with "201 newip" (i have no idea
for what 201 stands and i can't find an answer to this in the linux 2.4
advanced Routing howto - can someone point me to the right palce ?)

then
ip rule add fwmark 1 table newip
and
ip route add default via firewall dev eth0 table newip

but it still doesn't work, why ?

mfG
Wolfi


Am Don, 2003-07-24 um 08.24 schrieb Wolfgang Pichler:
> i am not an expert - but how can i use iproute2 routing by source ip ?
> If i understand the whole thing right then the webserver doesn't get the
> ip of the firewall as source ip - it gets the original ip - so - how can
> iproute2 then know which packet was comming from the firewall and which
> packet was comming from the old gateway.
> 
> But another thing come to mind: Wouldn't it be possible to Mark the
> packets on the firewall - and then tell iproute2 to route marked packets
> to the firewall back ?
> 
> mfG
> Wolfi
> 
> Am Mit, 2003-07-23 um 21.58 schrieb George Vieira:
> > You have to use iproute2 to route by source IP and not destination (default gateway).
> > 
> > There is an iptables patch in p-o-m which does some funky iproute stuff too but not sure the name.. have a look
> > 
> > Thanks,
> > ____________________________________________
> > George Vieira
> > Systems Manager
> > georgev@citadelcomputer.com.au
> > 
> > Citadel Computer Systems Pty Ltd
> > http://www.citadelcomputer.com.au
> > 
> > -----Original Message-----
> > From: Wolfgang Pichler [mailto:madmin@dialog-telekom.at]
> > Sent: Thursday, July 24, 2003 6:03 AM
> > To: netfilter@lists.netfilter.org
> > Subject: backroute problem
> > 
> > 
> > hi all,
> > 
> > we have got new ip addresses - the old one's still exists so that i can
> > migrate them to the new ones.
> > 
> > the old ip's are directly assigned to the web/mail server (i know that
> > this isn't good - but i havn't had a fireall at this time) - now i have
> > a seperate firewall which has the new ip's assigned to it.
> > 
> > Now i'd like to change the dns entries so that the traffic goes over the
> > new ip's (a 4 MBit line ;-) ) - the problem i have is:
> > 
> > when a packet on the new ip comes then it gets prerouted by the firewall
> > to the webserver - the webserver gets the packet with the original
> > source address - now to webserver wants to answer to the packet - but
> > becuase of the old ip's the webserver have a default route with the old
> > ip and try's to route the packet over the old gateway - and not back to
> > the firewall... You know - that can't work.
> > 
> > I am now searching for a solution for this problem. Can netfilter help
> > me with this problem - or do i have to use iproute (i havn't ever done
> > something with iproute) help me ?
> > 
> > Can i mark the packet's so the the webserver can send them back in the
> > right direction ?
> > 
> > mfG
> > Wolfi
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> 
> 
> 
> 
> 
>