Selectively routing packets through different links

Selectively routing packets through different links

am 10.06.2010 18:44:31 von Diego Alencar Alves de Lima

Hello all,

I'm trying to send http packets through a link that is not my default
gateway, using iptables and iproute2 on a Ubuntu 9.10 server (ip
address: 192.168.0.193 on the lan and 192.168.21.1 on the wan). Its
default gateway is the address 192.168.0.7 on my wlan0 interface and
its alternative gateway is 192.168.21.1 on bnep0. Packets from my LAN
arrive on the same wlan0 interface. Here's what I've done:

1 - Edit /etc/iproute2/rt_tables and add this:
10 bluez

2 - Add the route and rule:
# ip route add via 192.168.21.1 dev bnep0 table bluez
# ip rule add fwmark 10 lookup bluez

3 - Add the iptables rules:
iptables -t mangle -I PREROUTING -i wlan0 -s 192.168.0.0/24 -=
p tcp -m
multiport --dports 80,443,8080 -j MARK --set-mark 10
iptables -t nat -I POSTROUTING ! -o lo -j MASQUERADE

The FORWARD policy is currently set to ACCEPT and
/proc/sys/net/ipv4/ip_forward is set to 1. When I do this I can see
the packets coming from my local network to to the internet get out
and I see them on the router 192.168.21.1. I can also see the replies
on the router and bnep0, but they don't go back to the host on wlan0.

Here is the tcpdump results of a simple wget:

---
On the host 192.168.0.201 (the one trying to fetch a page):

13:04:49.639213 IP 192.168.0.201.37844 > 64.233.163.104.80: Flags [S],
seq 1417172792, win 5840, options [mss 1460,sackOK,TS val 194061171
ecr 0,nop,wscale 6], length 0
13:04:52.635912 IP 192.168.0.201.37844 > 64.233.163.104.80: Flags [S],
seq 1417172792, win 5840, options [mss 1460,sackOK,TS val 194061921
ecr 0,nop,wscale 6], length 0
13:04:58.635909 IP 192.168.0.201.37844 > 64.233.163.104.80: Flags [S],
seq 1417172792, win 5840, options [mss 1460,sackOK,TS val 194063421
ecr 0,nop,wscale 6], length 0


--
On the firewall 192.168.0.193 (the host's default gw and the firewall
where I set the iptables/routing rules):
tcpdump on bnep0:

diego@gilead:/tmp$ sudo tcpdump -ni bnep0 ip proto \\tcp and ! port 22
and host 64.233.163.104
listening on bnep0, link-type EN10MB (Ethernet), capture size 96 bytes
13:07:56.556892 IP 192.168.21.2.43346 > 64.233.163.104.80: Flags [S],
seq 182141507, win 5840, options [mss 1460,sackOK,TS val 194109829 ecr
0,nop,wscale 6], length 0
13:07:58.450327 IP 64.233.163.104.80 > 192.168.21.2.43346: Flags [S.],
seq 118939367, ack 182141508, win 5672, options [mss 1410,sackOK,TS
val 3547510252 ecr 194109829,nop,wscale 6], length 0
13:07:58.719166 IP 64.233.163.104.80 > 192.168.21.2.43346: Flags [S.],
seq 118939367, ack 182141508, win 5672, options [mss 1410,sackOK,TS
val 3547510586 ecr 194109829,nop,wscale 6], length 0
13:07:59.328302 IP 64.233.163.104.80 > 192.168.21.2.43346: Flags [S.],
seq 118939367, ack 182141508, win 5672, options [mss 1410,sackOK,TS
val 3547511190 ecr 194109829,nop,wscale 6], length 0
13:07:59.553165 IP 192.168.21.2.43346 > 64.233.163.104.80: Flags [S],
seq 182141507, win 5840, options [mss 1460,sackOK,TS val 194110579 ecr
0,nop,wscale 6], length 0
13:07:59.658279 IP 64.233.163.104.80 > 192.168.21.2.43346: Flags [S.],
seq 118939367, ack 182141508, win 5672, options [mss 1410,sackOK,TS
val 3547511511 ecr 194109829,nop,wscale 6], length 0


tcpdump on wlan0:
diego@gilead:/tmp$ sudo tcpdump -ni wlan0 ip proto \\tcp and ! port 22
and host 64.233.163.104
listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes

13:09:12.992642 IP 192.168.0.201.43347 > 64.233.163.104.80: Flags [S],
seq 1388896619, win 5840, options [mss 1460,sackOK,TS val 194128940
ecr 0,nop,wscale 6], length 0
13:09:15.988847 IP 192.168.0.201.43347 > 64.233.163.104.80: Flags [S],
seq 1388896619, win 5840, options [mss 1460,sackOK,TS val 194129690
ecr 0,nop,wscale 6], length 0
13:09:21.990494 IP 192.168.0.201.43347 > 64.233.163.104.80: Flags [S],
seq 1388896619, win 5840, options [mss 1460,sackOK,TS val 194131190
ecr 0,nop,wscale 6], length 0

--
On the wan router 192.168.21.1:

13:11:47.844163 IP 192.168.21.2.43348 > 64.233.163.104.80: S
3792068799:3792068799(0) win 5840 194167380[|tcp]>
13:11:49.613021 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 1410,sackOK,timestamp 3532709843[|tcp]>
13:11:49.868738 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 1410,sackOK,timestamp 3532710158[|tcp]>
13:11:50.473167 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 1410,sackOK,timestamp 3532710762[|tcp]>
13:11:50.833945 IP 192.168.21.2.43348 > 64.233.163.104.80: S
3792068799:3792068799(0) win 5840 194168130[|tcp]>
13:11:50.913043 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 1410,sackOK,timestamp 3532711202[|tcp]>
13:11:51.733704 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 1410,sackOK,timestamp 3532712022[|tcp]>
13:11:54.149590 IP 64.233.163.104.80 > 192.168.21.2.43348: S
2877038224:2877038224(0) ack 3792068800 win 5672 1410,sackOK,timestamp 3532714438[|tcp]>

--

As far as I can see the packets arrive at my firewall just fine but it
never routes them back to the host originating the request. Am I
missing something there?

Thanks and sorry for the long email :)

Diego Alencar Alves de Lima
http://www.diegolima.org
--
To unsubscribe from this list: send the line "unsubscribe linux-admin" =
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html