Search This Blog

Wednesday, September 05, 2012

Re: fwmark not run?

Sorry there is an error.

The ip address 10.29.0.0/255.255.255.0 is 10.0.2.0/255.255.255.0 in the
message.

Regards

El 05/09/12 15:38, Francisco J. Bejarano escribió:
> Hi
>
> I have a problem with firewall iptables and routing rules (iproute2). I
> describe my case:
>
> Debian 4 --> Upgraded to Debian 6.0.5. In debian 4 all run ok. In Debian
> 6.0.5...
>
> I have three routing tables tb1, tb2 and tb3. These tables havea default
> route through a adsl1, adsl2 and adsl3respectively. The routing tables
> and routes are working properly.
>
> The firewall (machine) worksas a router for five different networks with
> 5 different eth interfaces. eth1 (net1), eth2(net2), eth3(adsl3), eth4 (
> to adsl1 and adsl2)
>
> I need the traffic passing through the firewall (forward) from the red1
> go through the adsl1 if the destination port is 22 or 500 for example
> but if the destination port is another go to adsl3.
>
> I need the traffic passing through the firewall (forward) from the red2
> go through the adsl2 if the destination port is 22 or 500 for example
> but if the destination port is another go to adsl3.
>
> I have created some rules in the firewall within the mangle table
> PREROUTING chain to mark packets before the routing decision.
>
> #network2 marked with 2
>
> iptables -t mangle -A PREROUTING -s 10.29.0.0/255.255.255.0 -p tcp -m
> tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j MARK
> --set-mark 0x2
> iptables -t mangle -A PREROUTING -s 10.29.0.0/255.255.255.0 -p udp -m
> udp -m multiport --dports 500,4500 -m state --state
> NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x2
> iptables -t mangle -A OUTPUT -s 10.29.0.0/255.255.255.0 -p tcp -m tcp
> --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x2
> iptables -t mangle -A OUTPUT -s 10.29.0.0/255.255.255.0 -p udp -m udp -m
> multiport --dports 500,4500 -m state --state NEW,RELATED,ESTABLISHED -j
> MARK --set-mark 0x2
>
> #all packets (network1 included) marked with 1
> iptables -t mangle -A PREROUTING -p tcp -m tcp -m multiport --dports
> 22,22022,16022,1723 -m state --state NEW,RELATED,ESTABLISHED -j MARK
> --set-mark 0x1
> iptables -t mangle -A PREROUTING -p udp -m udp -m multiport --dports
> 500,4500 -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x1
> iptables -t mangle -A OUTPUT -p tcp -m tcp -m multiport --dports
> 22,22022,16022,1723 -m state --state NEW,RELATED,ESTABLISHED -j MARK
> --set-mark 0x1
> iptables -t mangle -A OUTPUT -p udp -m udp -m multiport --dports
> 500,4500 -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x1
>
> And I have created some rules in table nat
>
> iptables -t nat -A POSTROUTING -o eth4 -j MASQUERADE
> iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE
>
> Ok. I have some ip rules too.
>
> # ip rule
> 0: from all lookup local
> 30010: from all fwmark 0x2 lookup adsl2
> 30020: from all fwmark 0x1 lookup adsl1
> 30030: from 10.0.2.0/24 lookup adsl3
> 30040: from 10.0.1.0/24 lookup adsl3
> 30060: from all lookup main
> 30070: from all lookup default
>
> Ok. Does anyone know what I can be doing wrong? Did you change the way
> marked on the iptables firewall?
>
> I log the packets in the system log that are marked with 1 or 2 and the
> logs show that there is traffic being marked with 1 and 2 but after that
> traffic is not sent to the correct routing tables. ¿Is a bug in ip rule
> or something? The log
>
> Sep 5 15:24:55 firewall kernel: [1883719.204551] fwmark 1: IN=eth1 OUT=
> MAC=00:18:8b:f9:f3:34:00:24:8c:de:c8:fb:08:00 SRC=10.0.1.153
> DST=192.168.100.139 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=1436 DF
> PROTO=TCP SPT=57856 DPT=22 WINDOW=16323 RES=0x00 ACK FIN URGP=0 MARK=0x1
> Sep 5 15:24:55 firewall kernel: [1883719.205085] fwmark 1: IN=eth1 OUT=
> MAC=00:18:8b:f9:f3:34:00:24:8c:de:c8:fb:08:00 SRC=10.0.1.153
> DST=192.168.100.139 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=1437 DF
> PROTO=TCP SPT=57856 DPT=22 WINDOW=16323 RES=0x00 ACK URGP=0 MARK=0x1
> Sep 5 15:25:20 firewall kernel: [1883744.276724] fwmark 2: IN=eth2 OUT=
> MAC=00:0d:88:c5:ba:33:20:cf:30:d3:a6:d5:08:00 SRC=10.0.2.226
> DST=10.0.2.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=8254 DF PROTO=TCP
> SPT=52845 DPT=22 WINDOW=2641 RES=0x00 ACK URGP=0 MARK=0x2
> Sep 5 15:25:20 firewall kernel: [1883744.280404] fwmark 2: IN=eth2 OUT=
> MAC=00:0d:88:c5:ba:33:20:cf:30:d3:a6:d5:08:00 SRC=10.0.2.226
> DST=10.0.2.1 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=8255 DF PROTO=TCP
> SPT=52845 DPT=22 WINDOW=2641 RES=0x00 ACK PSH URGP=0 MARK=0x2
>
> Please, I need help with this issue. All my work network is in a
> degraded state and I dont know how to solve this issue.
>
> Thanks in advance
> (Sorry for my english)
>


--
-----------------------------------------------------------------
Francisco J. Bejarano
Responsable de Sistemas
Dpt. Sistemas e Infraestructuras
Open Knowledge Network S.L.
francisco.bejarano@openknowledgenetwork.com
Tel. (+34) 902 534 004
Fax. (+34) 917 266 476
-----------------------------------------------------------------


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/50475F8F.1090208@openknowledgenetwork.com
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)