iptables + multiple gateways not firewalling

Ian Coetzee ubuntu at iancoetzee.za.net
Sun Dec 13 13:09:27 UTC 2009 

On 12/12/2009 15:25, Ian Coetzee wrote:
> On Sat, Dec 12, 2009 at 2:31 PM, Werner Schram<wrschram at gmail.com>  wrote:
>    
>> Ian Coetzee wrote:
>>      
>>>>>> ip ru sh
>>>>>> 0:      from all lookup local
>>>>>> 32765:  from all fwmark 0x10 lookup mail
>>>>>> 32766:  from all lookup main
>>>>>> 32767:  from all lookup default
>>>>>>
>>>>>> ip ro sh table mail
>>>>>> default via 111.111.111.49 dev eth1
>>>>>>
>>>>>>              
>>> Ok after rethinking my strategy, I made some changes and now I am
>>> logging packets, and this is what I saw
>>>
>>> Dec 12 14:05:50 proxy kernel: [11676.519480] IN= OUT=eth0
>>> SRC=192.168.1.3 DST=196.43.0.142 LEN=60 TOS=0x10 PREC=0x00 TTL=64
>>> ID=60433 DF PROTO=TCP SPT=54928 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
>>> MARK=0x10
>>>
>>> Notice that it is marked, but still gets routed out through eth0....
>>>
>>> I think my routing table is flawed :(
>>>
>>>
>>>        
>> According to the ip man page:
>>   Each  policy  routing rule consists of a selector and an action
>> predicate.  The RPDB is scanned
>>        in the order of increasing priority. The selector of each rule is
>> applied to  {source  address,
>>        destination  address, incoming interface, tos, fwmark} and, if
>> the selector matches the packet,
>>        the action is performed.  The action predicate may return with
>> success.  In this case, it  will
>>        either  give  a  route  or failure indication and the RPDB lookup
>> is terminated. Otherwise, the
>>        RPDB program continues on the next rule.
>>
>> So the rules are evaluated in order of the priority given to them, and
>> evaluation stops once a rule is matched. So I think that because your
>> SMTP traffic matches rule 0, rule 32765 will not be evaluated. So
>> editing rule 0 to not match 0x10 should solve this problem.
>>      
>    
OK an update on this status.

I reverted back to using only one interface, and surprise, surprise, it 
works. The only thing I changed was to move the IP to eth0 (as well as 
all the related routes).

Now I have a question. Why does it work using one ether, but not two? My 
guess is that it sets all the packets to be routed out through eth0, 
then it gets marked and by then its to late (thats just my theory, prove 
me wrong please :) )

Regards
Ian
> That make sense...
>
> Ok trying to make rule 0: NOT match SMTP traffic, looking at the table
> its full of local, and broadcast routes, nothing on the servers I am
> trying to SMTP to
>
> I added the route to the server I am trying to connect to, to the main
> table and it works, and when I remove it again, I am back to square
> one...
>
> I am just going to take my mind of it at the moment, maybe phone a
> friend or two :) and try again later (when I get a bright spark of
> insanity :) )
>
> Thank you for the help so far
>
> Regards
> Ian
>    
>> Werner
>>
>> --
>> ubuntu-users mailing list
>> ubuntu-users at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>>
>>      

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS d? s+:- !a C+++ L+++>$  P- L++ E--- W++@ N? o? K? w--- O? M V-- PS PE Y+ PGP- t++ 5? X+ R* tv-- b+++ DI D+ G e h* r% !y
------END GEEK CODE BLOCK------

More information about the ubuntu-users mailing list