[LARTC] Problems with Routing and Masquerading

[Luciano Ruete]

On Tuesday 30 May 2006 13:23, Jason Boxman wrote:
> Luciano Ruete wrote:
> <snip>
>
> > Besides that, you need to solve the problems that multipath will arise,
> > like TOS situation described above or route cache expiration, that could
> > made long
> > term conns to be routed over a new iface.  The solutions  i know are
> > CONNMARK(kernel>=2.6.12) and julian's  patches[1].
> > Personally i prefer CONNMARK.
>
> Could you elaborate a little more on the CONNMARK method?

#by-pass rules if it is already MARKed
iptables -t mangle -A POSTROUTING -m mark  --mark ! 0 -j ACCEPT 
#1st packets(from a connection) will arrive here 
iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 0x1
iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 0x2
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

#restore mark before ROUTING decision
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

#route commands
ip ro add default  nexthop via x.x.x.x dev eth1 weight 1 nexthop via
y.y.y.y dev eth2
ip route add default table provider1 via x.x.x.x dev eth1
ip route add default table provider2 via y.y.y.y dev eth2
# and most important
ip rule add fwmark 0x1 table provider1
ip rule add fwmark 0x2 table provider2


Some notes:
-The example uses 2 ifaces, but is scalable to any (i have it working with 5)
-FORWARD could be used instead of POSRTOUTING, it depends on your needs
-If you have a large network, think in change the default conntrack table size 
and hash-size
 ip_conntrack hashsize=xxx
 echo xxx  > /proc/sys/net/ipv4/ip_conntrack_max
 #lnstat is your friend, will help to find the magic numbers
 lnstat -f ip_conntrack -i 1 -c 1 
-Full discussion about this solution on this thread[1][2] (sorry spanish only)
-Credits to diego woitasen who point me out to this kind of solution

[1] http://www.lugmen.org.ar/pipermail/lug-list/2006-April/041078.html
[2] http://www.lugmen.org.ar/pipermail/lug-list/2006-May/041084.html
-- 
Luciano