iptables + multiple gateways not firewalling
Ian Coetzee
ubuntu at iancoetzee.za.net
Sat Dec 12 13:25:38 UTC 2009
On Sat, Dec 12, 2009 at 2:31 PM, Werner Schram <wrschram at gmail.com> wrote:
> Ian Coetzee wrote:
>>>>> ip ru sh
>>>>> 0: from all lookup local
>>>>> 32765: from all fwmark 0x10 lookup mail
>>>>> 32766: from all lookup main
>>>>> 32767: from all lookup default
>>>>>
>>>>> ip ro sh table mail
>>>>> default via 111.111.111.49 dev eth1
>>>>>
>> Ok after rethinking my strategy, I made some changes and now I am
>> logging packets, and this is what I saw
>>
>> Dec 12 14:05:50 proxy kernel: [11676.519480] IN= OUT=eth0
>> SRC=192.168.1.3 DST=196.43.0.142 LEN=60 TOS=0x10 PREC=0x00 TTL=64
>> ID=60433 DF PROTO=TCP SPT=54928 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
>> MARK=0x10
>>
>> Notice that it is marked, but still gets routed out through eth0....
>>
>> I think my routing table is flawed :(
>>
>>
> According to the ip man page:
> Each policy routing rule consists of a selector and an action
> predicate. The RPDB is scanned
> in the order of increasing priority. The selector of each rule is
> applied to {source address,
> destination address, incoming interface, tos, fwmark} and, if
> the selector matches the packet,
> the action is performed. The action predicate may return with
> success. In this case, it will
> either give a route or failure indication and the RPDB lookup
> is terminated. Otherwise, the
> RPDB program continues on the next rule.
>
> So the rules are evaluated in order of the priority given to them, and
> evaluation stops once a rule is matched. So I think that because your
> SMTP traffic matches rule 0, rule 32765 will not be evaluated. So
> editing rule 0 to not match 0x10 should solve this problem.
That make sense...
Ok trying to make rule 0: NOT match SMTP traffic, looking at the table
its full of local, and broadcast routes, nothing on the servers I am
trying to SMTP to
I added the route to the server I am trying to connect to, to the main
table and it works, and when I remove it again, I am back to square
one...
I am just going to take my mind of it at the moment, maybe phone a
friend or two :) and try again later (when I get a bright spark of
insanity :) )
Thank you for the help so far
Regards
Ian
>
> Werner
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
More information about the ubuntu-users
mailing list