iptables + multiple gateways not firewalling

Ian Coetzee ubuntu at iancoetzee.za.net
Sat Dec 12 13:25:38 UTC 2009


On Sat, Dec 12, 2009 at 2:31 PM, Werner Schram <wrschram at gmail.com> wrote:
> Ian Coetzee wrote:
>>>>> ip ru sh
>>>>> 0:      from all lookup local
>>>>> 32765:  from all fwmark 0x10 lookup mail
>>>>> 32766:  from all lookup main
>>>>> 32767:  from all lookup default
>>>>>
>>>>> ip ro sh table mail
>>>>> default via 111.111.111.49 dev eth1
>>>>>
>> Ok after rethinking my strategy, I made some changes and now I am
>> logging packets, and this is what I saw
>>
>> Dec 12 14:05:50 proxy kernel: [11676.519480] IN= OUT=eth0
>> SRC=192.168.1.3 DST=196.43.0.142 LEN=60 TOS=0x10 PREC=0x00 TTL=64
>> ID=60433 DF PROTO=TCP SPT=54928 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
>> MARK=0x10
>>
>> Notice that it is marked, but still gets routed out through eth0....
>>
>> I think my routing table is flawed :(
>>
>>
> According to the ip man page:
>  Each  policy  routing rule consists of a selector and an action
> predicate.  The RPDB is scanned
>       in the order of increasing priority. The selector of each rule is
> applied to  {source  address,
>       destination  address, incoming interface, tos, fwmark} and, if
> the selector matches the packet,
>       the action is performed.  The action predicate may return with
> success.  In this case, it  will
>       either  give  a  route  or failure indication and the RPDB lookup
> is terminated. Otherwise, the
>       RPDB program continues on the next rule.
>
> So the rules are evaluated in order of the priority given to them, and
> evaluation stops once a rule is matched. So I think that because your
> SMTP traffic matches rule 0, rule 32765 will not be evaluated. So
> editing rule 0 to not match 0x10 should solve this problem.

That make sense...

Ok trying to make rule 0: NOT match SMTP traffic, looking at the table
its full of local, and broadcast routes, nothing on the servers I am
trying to SMTP to

I added the route to the server I am trying to connect to, to the main
table and it works, and when I remove it again, I am back to square
one...

I am just going to take my mind of it at the moment, maybe phone a
friend or two :) and try again later (when I get a bright spark of
insanity :) )

Thank you for the help so far

Regards
Ian
>
> Werner
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>




More information about the ubuntu-users mailing list