iptables + multiple gateways not firewalling
Werner Schram
wrschram at gmail.com
Sat Dec 12 12:31:36 UTC 2009
Ian Coetzee wrote:
>>>> ip ru sh
>>>> 0: from all lookup local
>>>> 32765: from all fwmark 0x10 lookup mail
>>>> 32766: from all lookup main
>>>> 32767: from all lookup default
>>>>
>>>> ip ro sh table mail
>>>> default via 111.111.111.49 dev eth1
>>>>
> Ok after rethinking my strategy, I made some changes and now I am
> logging packets, and this is what I saw
>
> Dec 12 14:05:50 proxy kernel: [11676.519480] IN= OUT=eth0
> SRC=192.168.1.3 DST=196.43.0.142 LEN=60 TOS=0x10 PREC=0x00 TTL=64
> ID=60433 DF PROTO=TCP SPT=54928 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
> MARK=0x10
>
> Notice that it is marked, but still gets routed out through eth0....
>
> I think my routing table is flawed :(
>
>
According to the ip man page:
Each policy routing rule consists of a selector and an action
predicate. The RPDB is scanned
in the order of increasing priority. The selector of each rule is
applied to {source address,
destination address, incoming interface, tos, fwmark} and, if
the selector matches the packet,
the action is performed. The action predicate may return with
success. In this case, it will
either give a route or failure indication and the RPDB lookup
is terminated. Otherwise, the
RPDB program continues on the next rule.
So the rules are evaluated in order of the priority given to them, and
evaluation stops once a rule is matched. So I think that because your
SMTP traffic matches rule 0, rule 32765 will not be evaluated. So
editing rule 0 to not match 0x10 should solve this problem.
Werner
More information about the ubuntu-users
mailing list