Re: Routing the DNS Traffic via specific interface.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
Well, I know two ways,
but I don't know what is right from the standpoint of an more experienced sysadmin.
Solution #1
Script that periodically do "health check" of a link (i.e. route) by ping
some reliable host (router) reachable via eth2.
See example below. Run it in background from another bash script like `chkroutes &`.
Or even try to connect to DNS-server with `nc` instead of pings:
`nc -c exit -w1 <ip_of_DNS_server> 53`
Because ISPs equipment hardware exploited in this scenario,
I do not know whether it is acceptable according to netiquette.
If you want to react only to the interface down on gateway you should
use somthing like "post-up", "post-down" in /etc/network/interfaces in Debian.
On post-up add rule in RPDB, on post-down you delete this entry.
For tarffic switching you have three options:
- modify additional routing tables isp2: add/delete default route or
- modify RPDB rules: add/delete 'from all fwmark 0x4 lookup isp2' entry or even
- modify iptables rules - add/delete MARK rule.

Solution #2
Use dynamic routing protocols and daemons like zebra or quagga.
For me it's look like overkill in this simple situation.
And I still can't undestand how exactly routing daemon on gateway finds that route is dad.
So applicability of dynamic routing for this purposes is still unclear for me.

=== chkroutes =======================================================================================
#!/bin/sh

SWITCHED=0
TARGET=<some_reliable_host>

test_route2_cycle()
{
    while true; do
        ping -I eth2 -c3 $TARGET
        PING=$?
        if [ "$PING" == "0" && "$SWITCHED" == "1"]; then
            # TARGET reachable
            ip rule add from all fwmark 0x4 table inet2
            ip route flush cache
            SWITCHED=0
        else
            # TARGET unreachable
            if [ "$SWITCHED" == "0" ]; then
                ip rule del from all fwmark 0x4 table inet2
                ip route flush cache
                SWITCHED=1
            fi
        fi
        sleep 10
    done
}

echo $$ > /var/run/chkroutes.pid
test_route2_cycle
==============================================================================================


NG> Hi..
NG> Thanks for the help. This worked excellent for me. I have another question on this.
NG> Suppose if I have 2 interfaces say eth2 and eth3. If I want to implement conditional routing, say ex, eth2 is down and all DNS traffic needs to redirect via eth3 upon detecting the link failure, how do I do that.



NG> Thanks
NG> Ganesh Netravali


NG> -----Original Message-----
NG> From: gapsf@xxxxxxxxx [mailto:gapsf@xxxxxxxxx] 
NG> Sent: Wednesday, January 25, 2012 3:04 PM
NG> To: netfilter@xxxxxxxxxxxxxxx; Netravali Ganesh
NG> Subject: Re: Routing the DNS Traffic via specific interface.

NG> No. You should use "Policy routing" with MARK target in iptables.

NG> Mark outgoing DNS packets with iptables in mangle PREOROUTING for example.
NG> # iptables -t mangle -A PREROUTING -p udp --dport 53 -j MARK --set-mark 0x4

NG> Create additional routing table with different routing rules.
NG> Add new entry in /etc/iproute2/rt_tables =========================================
NG> #
NG> # reserved values
NG> #
NG> 255     local
NG> 254     main
NG> 253     default
NG> 0       unspec
NG> #
NG> # local
NG> #
NG> #1     inr.ruhep
NG> 1      isp2 # <- new entry
NG> =========================================

NG> Then execute
NG> # ip route flush table isp2
NG> and add defalt route into newly created table # route add default via <ip_of_your_eth2_gateway> dev eth2 table isp2

NG> Add new policy in RPDB.
NG> # ip rule add from all fwmark 0x4 table isp2

NG> Check RPDB
NG> # ip rule show
NG> You should view somthing like this:
NG> 0:      from all lookup local
NG> 32763:  from all fwmark 0x4 lookup isp2
NG> 32766:  from all lookup main
NG> 32767:  from all lookup default

NG> In result: all traffic routed with main routing table, except marked DNS traffic routed via "isp2" routing table via its default route and iface.
NG> View picture http://postimage.org/image/nn9owf5x7/ for example.

NG>> Hi ..

NG>> I have 2 interfaces eth0 and eth1 on the system connected to different subnets. I need to route all the outgoing DNS traffic of the system via eth1 interface. Pls let me know if below IPTABLES rules is proper way ?

NG>> Block the output DNS traffic on eth0 interface.

NG>> iptables -A FORWARD -p udp -o eth0 --dport 53 -j DROP

NG>> Forward output DNS traffic from eth1 interface

NG>> iptables -A FORWARD -p udp -o eth1 --dport 53 -j ACCEPT


NG>> Thanks
NG>> Ganesh


NG>> --
NG>> To unsubscribe from this list: send the line "unsubscribe netfilter" 
NG>> in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo 
NG>> info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]     [Linux Kernel Networking Development]     [Linux Networking Development]     [Linux Kernel Development]     [Linux Resources]     [LARTC]     [Bugtraq]     [Consulting]     [Free Internet Dating]     [Yosemite Forum]     [Photo]

Add to Google Powered by Linux