iptables and marking TCP traffic originating within
Skip down to the summary part if you're in a hurry!
I'm wondering if anyone might be able to help me here. I'm working on a research project and as part of our testbed we're setting up linux PCs (running the latest Fedora) that are meant to emulate traffic of multiple hosts across the network – basically creating virtual hosts on a single host PC.
Each linux PC is running multiple instances of traffic generating software, and is configured with multiple IP addresses on the eth0 interface (one IP address for each instance of the traffic software). Each instance of the traffic generator will create TCP traffic with a different source port. The goal is for this unique source port to allow for differentiation between multiple virtual hosts (and thus allow for the TCP traffic to use the correct source IP address). We do this by choosing an IP address based upon the source port of the TCP traffic.
Setting up the ability to receive traffic for multiple IP addresses on a single interface was not a problem. Sending traffic with different source IP addresses over a single interface is the issue that we are concerned about. The way in which I went about solving this problem appears to be the correct one.
I set up multiple routing tables, one for each IP address (or virtual host). All routing details in each table were the same except for the src IP address for the routes.
I then used iptables in an attempt to mark all TCP traffic that had a particular source ports
I then set up rules like so:
ip rule add fwmark 1 table 1
ip rule add fwmark 2 table 2
and so on...
Here is how this should have worked:
My traffic generator creates TCP traffic with source port 1232 to represent traffic generated by virtual host #2. iptables catches these packets and marks them with a '2'. The ip rule for fwmark 2 then uses table 2 to route this traffic. Table 2 sets the src IP address for all routes to the corresponding IP address of virtual host #2.
Long story short, I couldn't get the marking to work. Rules using specific marks would be skipped, and further testing has proven to me that I am failing to mark this traffic. Here is an example of what I used for iptables to mark by source port:
iptables -t mangle -A OUTPUT -p tcp --source-port 1231 -j MARK --set-marks 1
iptables -t mangle -A OUTPUT -p tcp --source-port 1232 -j MARK --set-marks 2
and so on...
My question: Does anyone know how to mark TCP traffic originating within the PC by source port? It seems to me like the above should have worked. Since I'm new to iptables (and linux networking in general) I attempted this with every single hook (PREROUTING, INPUT, ETC) for the mangle table, all without any luck.
Any ideas, or alternate ways to do what I'm trying to do?