Problem with packet mangling over 2 links

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi

I have a strange problem. I have a firewall with 3 nics.

1 - lan
2 - leased line or diginet
3 - connected to adsl modem

I have 2 tables in defined in /etc/iproute2/rt_tables:

200 diginet
201 adsl

The ADSL modem has an IP of 192.168.0.1 and is configured to initiate
the PPPOE connection. I can mark packets within the network destined
for port 80 successfully:

ip ro add default via x.x.x.x table diginet #where x.x.x.x is the ip
of the cisco router
ip route add default via 192.168.0.1 dev eth2 table adsl
ip ru add fwmark 2 table adsl
ip ro fl ca

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80
-j MARK --set-mark 2
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT

That all works and if i do a tcpdump on eth2 I can see packets for web
traffic going out via ADSL.

The problem:

If I configure the ADSL modem to no longer make the PPPOE connection
but let the firewall do it i.e pppoe-setup / pppoe then it doesn't
work. Here's the relevant netfilter and iproute2 steps I did.

ip ro add default via x.x.x.x table diginet #where x.x.x.x is the ip
of the cisco router
ip ro add dev ppp0 table adsl
ip ro add default via x.x.x.x table adsl #where x.x.x.x is the p-t-p
addr from the output of ifconfig ppp0
ip ru add fwmark 2 table adsl
ip ro fl ca

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80
-j MARK --set-mark 2
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT

I have also set DEFROUTE=no and PEERDNS=no in /etc/ppp/pppoe.conf as
the diginet is still the default route but I only want web traffic out
on ADSL.

Some output from tcpdump showing this doesn't work:

[root@firewall ~]# tcpdump -i eth0 port 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
07:43:59.501397 IP 192.168.1.222.2867 > 66.249.93.104.80: S
2326997538:2326997538(0) win 5840 <mss 1460,sackOK,timestamp 6219115
0,nop,wscale 0>
07:44:02.495748 IP 192.168.1.222.2867 > 66.249.93.104.80: S
2326997538:2326997538(0) win 5840 <mss 1460,sackOK,timestamp 6219415
0,nop,wscale 0>
07:44:08.496618 IP 192.168.1.222.2867 > 66.249.93.104.80: S
2326997538:2326997538(0) win 5840 <mss 1460,sackOK,timestamp 6220015
0,nop,wscale 0>
07:44:20.498324 IP 192.168.1.222.2867 > 66.249.93.104.80: S
2326997538:2326997538(0) win 5840 <mss 1460,sackOK,timestamp 6221215
0,nop,wscale 0>

If anyone can shed some light on what I'm doing wrong or missing I'd
really appreciate it.

Michael
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux