[LARTC] OUTPUT chain marking after or before routing?
???????? ?????
skekes@pylones.gr
Thu, 17 Jul 2003 09:04:18 +0300
Hello dear Catalin,
Well the only mistake you made is that you placed hte mark filters on
the output of the interface.
I suggest you to park them in the PREROUTING chain and not in the
output. It works fine to me.
Best regards
Stamatis
Catalin Borcea wrote:
>Hello,
>I have a Linux box with 3 network adapters:
>eth0 : IP:10.200.0.1/24
>eth1/ppp0: IP:80.97.105.98
>eth2 : IP:192.168.1.100/24
>
>I want that all the Internet traffic goes to the eth2 interface except the
>smtp traffic that I want to go to the ppp0 interface. The main routing table
>is:
>172.16.20.1 dev ppp0 proto kernel scope link src 80.97.105.98
>192.168.1.0/24 dev eth2 scope link
>10.200.0.0/24 dev eth0 scope link
>192.168.254.0/24 dev eth1 scope link
>127.0.0.0/8 dev lo scope link
>default via 192.168.1.1 dev eth2
>
>
>I decided to use netfilter to mark the packets that leave the gateway from
>and to the smtp port. I do this in the OUTPUT chain of the mangle table. So,
>according to the docs, the marking will occur before routing for locally
>generated packets:
>
>$IT -t mangle -A OUTPUT -p tcp --dport smtp -j MARK --set-mark 2
>$IT -t mangle -A OUTPUT -p tcp --sport smtp -j MARK --set-mark 2
>
>Then I define a new routing table (named "smtp") and a rule to redirect smtp
>packets to this table. The output of "ip rule ls" is:
># 0: from all lookup local
># 32765: from all fwmark 2 lookup smtp
># 32766: from all lookup main
># 32767: from all lookup 253
>
>In table "smtp" I defined a default route by the dev ppp0. The output of "ip
>route ls table smtp" is:
># default dev ppp0
>
>When I try to connect to a smtp port somewhere in the Internet, tcpdump show
>me that these packets go to the eth2 interface (the main table default
>route). I don't know where is my mistake but it seems that the marking in
>the OUTPUT chain occurs AFTER and not BEFORE routing. Is this a correct
>behaviour? How can I solve my problem? Please help!
>
>TIA
>- catalin -
>
>
>_______________________________________________
>LARTC mailing list / LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>
>