advanced routing packets from localhost

ESGLinux esggrupos at gmail.com
Fri Dec 11 08:38:11 UTC 2009 

2009/12/10 Moby <moby at mobsternet.com>

>
>
> On 12/10/2009 10:54 AM, ESGLinux wrote:
>
>> Hello,
>>
>> The problem with that is that the routing decision is made before the
>> packets get marked, so although I get the packets marked they follow the
>> route decided in the previous steps
>>
>> you can see this steps in this web:
>>
>> http://www.linuxtopia.org/Linux_Firewall_iptables/c951.html
>>
>> <http://www.linuxtopia.org/Linux_Firewall_iptables/c951.html>or am I
>> doing
>> anything wrong?
>>
>> Thanks,
>>
>> ESG
>>
>>
>> 2009/12/10 Moby<moby at mobsternet.com>
>>
>>
>>
>>>
>>>> For local traffic, set your mark on all traffic originiating from
>>>>
>>>>
>>> 127.0.0.1 and other local IPs of the machine sent to destination port 80
>>> or
>>> 443.
>>>
>>> --
>>> --Moby
>>>
>>> They that can give up essential liberty to obtain a little temporary
>>> safety
>>> deserve neither liberty nor safety.  -- Benjamin Franklin
>>>
>>>
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>>
>>>
>>
> I looked at the link you posted, and most I can say is perhaps the document
> there needs some correct.
> I have the following line in my config:
>    iptables -t mangle -A PREROUTING -s 127.0.0.0/24 -j MARK --set-mark 2
> and I know for sure it works.
> You may perhaps want to try something along these lines and see what
> happens in your case?
>
>
>
Hi Moby,

I have tried with this lines:

iptables -t mangle -A PREROUTING -s 127.0.0.0/24 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -s 192.168.2.0/24 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -s 192.168.1.1/32 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -s 192.168.3.0/24 -j MARK --set-mark 2

#ip route flush cache

and the traffic from the LAN goes to the gw1, but the traffic from the
firewall goest to gw0.
The packets gets marked from the first rule:
iptables -nvx -L -t mangle
.....
  949   124702 MARK       all  --  *      *       127.0.0.0/24
0.0.0.0/0           MARK set 0x2
       0        0 MARK       all  --  *      *       192.168.2.0/24
0.0.0.0/0           MARK set 0x2
       0        0 MARK       all  --  *      *       192.168.1.1
0.0.0.0/0           MARK set 0x2
      11     6336 MARK       all  --  *      *       192.168.3.0/24
0.0.0.0/0           MARK set 0x2
......

but they don´t get routed to the correct gateway...

I think the doc form iptables is right. (I have seen this info repeated in
many webs)


Greetings,

ESG





> --
> --Moby
>
> They that can give up essential liberty to obtain a little temporary safety
> deserve neither liberty nor safety.  -- Benjamin Franklin
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list