advanced routing packets from localhost
ESGLinux
esggrupos at gmail.com
Fri Dec 11 08:38:11 UTC 2009
2009/12/10 Moby <moby at mobsternet.com>
>
>
> On 12/10/2009 10:54 AM, ESGLinux wrote:
>
>> Hello,
>>
>> The problem with that is that the routing decision is made before the
>> packets get marked, so although I get the packets marked they follow the
>> route decided in the previous steps
>>
>> you can see this steps in this web:
>>
>> http://www.linuxtopia.org/Linux_Firewall_iptables/c951.html
>>
>> <http://www.linuxtopia.org/Linux_Firewall_iptables/c951.html>or am I
>> doing
>> anything wrong?
>>
>> Thanks,
>>
>> ESG
>>
>>
>> 2009/12/10 Moby<moby at mobsternet.com>
>>
>>
>>
>>>
>>>> For local traffic, set your mark on all traffic originiating from
>>>>
>>>>
>>> 127.0.0.1 and other local IPs of the machine sent to destination port 80
>>> or
>>> 443.
>>>
>>> --
>>> --Moby
>>>
>>> They that can give up essential liberty to obtain a little temporary
>>> safety
>>> deserve neither liberty nor safety. -- Benjamin Franklin
>>>
>>>
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>>
>>>
>>
> I looked at the link you posted, and most I can say is perhaps the document
> there needs some correct.
> I have the following line in my config:
> iptables -t mangle -A PREROUTING -s 127.0.0.0/24 -j MARK --set-mark 2
> and I know for sure it works.
> You may perhaps want to try something along these lines and see what
> happens in your case?
>
>
>
Hi Moby,
I have tried with this lines:
iptables -t mangle -A PREROUTING -s 127.0.0.0/24 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -s 192.168.2.0/24 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -s 192.168.1.1/32 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -s 192.168.3.0/24 -j MARK --set-mark 2
#ip route flush cache
and the traffic from the LAN goes to the gw1, but the traffic from the
firewall goest to gw0.
The packets gets marked from the first rule:
iptables -nvx -L -t mangle
.....
949 124702 MARK all -- * * 127.0.0.0/24
0.0.0.0/0 MARK set 0x2
0 0 MARK all -- * * 192.168.2.0/24
0.0.0.0/0 MARK set 0x2
0 0 MARK all -- * * 192.168.1.1
0.0.0.0/0 MARK set 0x2
11 6336 MARK all -- * * 192.168.3.0/24
0.0.0.0/0 MARK set 0x2
......
but they don´t get routed to the correct gateway...
I think the doc form iptables is right. (I have seen this info repeated in
many webs)
Greetings,
ESG
> --
> --Moby
>
> They that can give up essential liberty to obtain a little temporary safety
> deserve neither liberty nor safety. -- Benjamin Franklin
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
More information about the redhat-list
mailing list