Find the answer to your Linux question:
Results 1 to 2 of 2
Hello all, I googled for a couple of days but I can't get the following situation to work: local LAN (10.0.1.x) => Linux FW => ppp0 ADSL 1.1.1.1 eth2 CABLE ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2009
    Posts
    3

    [SOLVED] iproute2 rule based multi homed SNAT problem


    Hello all,

    I googled for a couple of days but I can't get the following situation to work:

    local LAN (10.0.1.x) => Linux FW => ppp0 ADSL 1.1.1.1
    eth2 CABLE 2.2.2.2

    I mark packets from the local LAN to web pages (port 80) with a 2. This triggers the CABLE routing table to use eth2 for that traffic. That works great and is SNAT'ed prefectly in the direction of the internet. Problem is that returning packets are not sent back to the local net but are lost as soon as they arrive on eth2. conntrack sees them and tshark sees them but the system does not forward them... I do have LOG entries in my iptables for all packets that are refused.

    Any help is very welcome.

    Thanks,
    Milo

    ===========================
    relevant part of ip tables:
    ===========================
    ...
    $IPTABLES -A PREROUTING -t mangle -j CONNMARK --restore-mark
    $IPTABLES -A PREROUTING -t mangle -i eth0 -p tcp --dport 80 -j MARK --set-mark 2 # Mark web browsing for CABLE
    $IPTABLES -A POSTROUTING -t mangle -o ppp0 -m state --state NEW -j MARK --set-mark 1
    $IPTABLES -A POSTROUTING -t mangle -o eth2 -m state --state NEW -j MARK --set-mark 2
    $IPTABLES -A POSTROUTING -t mangle -m state --state NEW -j CONNMARK --save-mark
    ...
    $IPTABLES -t nat -A POSTROUTING -o ppp0 -s 10.0.1.0/24 ! -d 10.0.0.0/8 -m mark --mark 1 -j SNAT --to-source 1.1.1.1
    $IPTABLES -t nat -A POSTROUTING -o eth2 -s 10.0.1.0/24 ! -d 10.0.0.0/8 -m mark --mark 2 -j SNAT --to-source 2.2.2.2
    ...

    ===========================
    conntrack -E -s 10.0.1.x
    ===========================
    [NEW] tcp 6 120 SYN_SENT src=10.0.1.3 dst=217.21.146.161 sport=1483 dport=80 [UNREPLIED] src=217.21.146.161 dst=95.96.84.156 sport=80 dport=1483 mark=2
    [UPDATE] tcp 6 59 SYN_RECV src=10.0.1.3 dst=217.21.146.161 sport=1483 dport=80 src=217.21.146.161 dst=95.96.84.156 sport=80 dport=1483 mark=2
    => Never reaches state ESTABLISHED

    ===========================
    ip rule
    ===========================
    0: from all lookup local
    50: from 2.2.2.2 iif lo lookup CABLE
    200: from all fwmark 0x2 iif eth2 lookup CABLE
    200: from all fwmark 0x2 iif eth0 lookup CABLE
    32766: from all lookup main
    32767: from all lookup default

    ===========================
    ip route list table CABLE
    ===========================
    10.0.1.0/24 dev eth0 scope link
    2.2.2.0/24 dev eth2 scope link metric 10
    127.0.0.0/8 dev lo scope link
    default via 2.2.2.1 dev eth2 metric 10

    ===========================
    ip route list table main
    ===========================
    1.1.1.2 dev ppp0 proto kernel scope link src 1.1.1.1
    192.168.100.0/24 dev eth2 proto kernel scope link src 192.168.100.99
    10.0.0.0/24 dev eth1 proto kernel scope link src 10.0.0.2
    10.0.1.0/24 dev eth0 scope link
    2.2.2.0/24 dev eth2 scope link metric 10
    127.0.0.0/8 dev lo scope link
    default via 1.1.1.2 dev ppp0
    Last edited by milovdzee; 09-27-2009 at 07:11 PM. Reason: title change

  2. #2
    Just Joined!
    Join Date
    Sep 2009
    Posts
    3
    I had to disable rp_filter for the interface and now all is fine

    Strange that the kernel seems to think the packet is spoofed. I don't understand why, so if anybody could explain that I would be an even more happy camper

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •