All of lore.kernel.org
 help / color / mirror / Atom feed
* Routing traffic over two gateways by fwmark
@ 2015-03-31 22:52 Matt Killock
  2015-04-01 22:13 ` Pascal Hambourg
  0 siblings, 1 reply; 3+ messages in thread
From: Matt Killock @ 2015-03-31 22:52 UTC (permalink / raw)
  To: netfilter

Hello,

I am having trouble re-using scripts that worked in kernel 2.6.24 with a 
more recent 3.16.0 series kernel. The essence of what I am trying to do 
is this:

iptables mark all packets arriving from anywhere on interface 1 with 
'10'
iptables mark all packets arriving from anywhere on interface 2 with 
'20'

iptables DNAT incoming traffic on interface 1 on port 1111 to internal 
server via interface 3
iptables DNAT incoming traffic on interface 2 on port 1111 to internal 
server via interface 3

ip rule from all fwmark 10 table T1
ip rule from all fwmark 20 table T2

default gateway in table T1 is through interface 1
default gateway in table T2 is through interface 2

With the view to make everything that arrives on a particular interface 
leave via that interface. The above approach worked fine in kernel 2.6 
but does not seem to work any more. With no default gateway in the main 
routing table, the packets arrive on the external interfaces but do not 
appear on the LAN interface, almost as if DNAT is having no effect at 
all. One of the two DNAT rules works if I add a default gateway to the 
main routing table, but then it appears that the policy routing tables 
or firewall marks are ignored.

Should the above approach be possible still? If not, then could someone 
advise what approach I should use nowadays please?

Matt

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Routing traffic over two gateways by fwmark
  2015-03-31 22:52 Routing traffic over two gateways by fwmark Matt Killock
@ 2015-04-01 22:13 ` Pascal Hambourg
  2015-04-02 16:21   ` Matt Killock
  0 siblings, 1 reply; 3+ messages in thread
From: Pascal Hambourg @ 2015-04-01 22:13 UTC (permalink / raw)
  To: Matt Killock; +Cc: netfilter

Matt Killock a écrit :
> 
> I am having trouble re-using scripts that worked in kernel 2.6.24 with a 
> more recent 3.16.0 series kernel. The essence of what I am trying to do 
> is this:
> 
> iptables mark all packets arriving from anywhere on interface 1 with 
> '10'
> iptables mark all packets arriving from anywhere on interface 2 with 
> '20'
> 
> iptables DNAT incoming traffic on interface 1 on port 1111 to internal 
> server via interface 3
> iptables DNAT incoming traffic on interface 2 on port 1111 to internal 
> server via interface 3
> 
> ip rule from all fwmark 10 table T1
> ip rule from all fwmark 20 table T2
> 
> default gateway in table T1 is through interface 1
> default gateway in table T2 is through interface 2
> 
> With the view to make everything that arrives on a particular interface 
> leave via that interface. The above approach worked fine in kernel 2.6 

I don't think so. You must mark packets from the server arriving from
the server at interface 3, not packets arriving at interface 1 and 2.
Packets arriving at interface 1 and 2 are all routed via interface 3, so
they have no need for advanced routing.

> but does not seem to work any more. With no default gateway in the main 
> routing table, the packets arrive on the external interfaces but do not 
> appear on the LAN interface, almost as if DNAT is having no effect at 
> all.

Check the value of rp_filter for interface 1, interface 2 and all.
Since some kernel version the logic has changed from AND to MAX.

> One of the two DNAT rules works if I add a default gateway to the 
> main routing table, but then it appears that the policy routing tables 
> or firewall marks are ignored.

You must mark packets arriving from the server at interface 3. For this
you must mark the incoming connections (CONNMARK) and transfer the
connection mark to the packets arriving at interface 3.

Another method not requiring connection marking is to use the original
destination address (-m conntrack --ctorigdst) to mark the packets.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Routing traffic over two gateways by fwmark
  2015-04-01 22:13 ` Pascal Hambourg
@ 2015-04-02 16:21   ` Matt Killock
  0 siblings, 0 replies; 3+ messages in thread
From: Matt Killock @ 2015-04-02 16:21 UTC (permalink / raw)
  To: Pascal Hambourg; +Cc: netfilter, netfilter-owner

On 2015-04-01 23:13, Pascal Hambourg wrote:
> Check the value of rp_filter for interface 1, interface 2 and all.

Ah ha! Yes, the rp_filter was enabled for all those interfaces. 
Disabling it on all has made it work again! Hoorah!

Many thanks!

Matt

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-04-02 16:21 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-31 22:52 Routing traffic over two gateways by fwmark Matt Killock
2015-04-01 22:13 ` Pascal Hambourg
2015-04-02 16:21   ` Matt Killock

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.