Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: iptables: User

Source address assignment

 

 

iptables user RSS feed   Index | Next | Previous | View Threaded


rjfdevries at seneca

Aug 2, 2001, 2:22 AM

Post #1 of 2 (469 views)
Permalink
Source address assignment

Dear,

In Section 3 of Rusty Russells Linux netfilter Hacking HOWTO it is stated
that routing code is called _BEFORE_
the NF_IP_LOCAL_OUT hook is called, in order to assign a source address to a
packet issued by e.g. squid or
any other deamon issueing packets to networking.

Is this really true or am i misinterpreting this section?

If this is the reality I like to make a suggestion to the developers of
netfilter/iptables to allow marking (fwmark) before
the source address is assigned.
The reason for this suggestion is the following. I would like to be able to
route traffic generated by proxies on my
firewall on the basis of destination port in combination with destination
address. It could/should work like this
(the IP addresses are 'random'):

boris:/etc/iproute2 # ip rule
0: from all lookup local
3000: from all lookup main
4000: from all fwmark 1 lookup internet_connection_2
5000: from all lookup internet_connection_main

boris:/etc/iproute2 # ip route show table main
212.241.155.96/28 dev eth2 proto kernel scope link src 212.241.155.110
195.156.176.240/28 dev eth0 proto kernel scope link src 195.156.176.242
192.31.141.0/24 dev eth1 proto kernel scope link src 192.31.141.17
172.16.0.0/16 dev eth3 proto kernel scope link src 172.16.0.1

boris:/etc/iproute2 # ip route show table internet_connection_main
default via 195.156.176.254 dev eth0

boris:/etc/iproute2 # ip route show table internet_connection_2
default via 212.241.155.97 dev eth2

boris:/etc/iproute2 # iptables -t mangle -vnL
Chain PREROUTING (policy ACCEPT 5000970 packets, 3216012435 bytes)
pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 5786895 packets, 3088500583 bytes)
pkts bytes target prot opt in out source
destination
1324K 85M MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 MARK set 0x1

-> So HTTP packets not destined to local subnets pass rule 0 and 3000 and
are
(wishfull thinking) send by rule 4000 to the second internet connection
(internet_connection_2), not the main (default) one. Rule 5000 above is the
"gateway of last resort" catcher. Rule 3000 (table Main) routes anything
destined
to the local subnets (connected to the firewall).

HTTP packets from squid destined to a webserver e.g. on subnet
195.156.176.240/28
(local!) should have as their source address 195.156.176.242. HTTP packets
from
squid destined to the internet travelling the second internet connection
should
have 212.241.155.110 as their source address. First marking and then calling
the
routing code respecting the fwmark rule should assign the right address to
the
packets issued by squid. Or not?

Anyone?

Cheers,

Rein








-------------------------
Seneca Groep, Elektronicaweg 31, 2628 XG DELFT
T: 015 2513700, F: 015 2513701, M: 06 2001 1493
E: rjfdevries [at] seneca, W: www.seneca.nl


iafilius at xs4all

Aug 2, 2001, 4:46 PM

Post #2 of 2 (452 views)
Permalink
Re: Source address assignment [In reply to]

Hello Rein,


I'd think you're confused by calling the routing table to set the source
adress, before any packet is send out, and the moment where netfilter come
in... from te point where the first packet is send out (and the source
adres is filled in).

I'd think, it's "impossible" to mangle packet which doen't exists.
An (nonexisting?) advanced routing policy could perhaps handle this
situation.

Anyway, the packet flow diagrams (netfilter haking howto) are based on
travelig packets, not only asking about the route to set the source adres.
They are independent, becouse no packet is there yet.

If i remember correctly (kernel source), the (known) tcp ports ARE given
to the first routing call which sets the source adress if not
set.

_perhaps_ you want to discuss this also on HAL (http://www.hal2001.org/)
next week?

Later,

On Thu, 2 Aug 2001, Vries, Rein de wrote:

> Dear,
>
> In Section 3 of Rusty Russells Linux netfilter Hacking HOWTO it is stated
> that routing code is called _BEFORE_
> the NF_IP_LOCAL_OUT hook is called, in order to assign a source address to a
> packet issued by e.g. squid or
> any other deamon issueing packets to networking.
>
> Is this really true or am i misinterpreting this section?
>
> If this is the reality I like to make a suggestion to the developers of
> netfilter/iptables to allow marking (fwmark) before
> the source address is assigned.
> The reason for this suggestion is the following. I would like to be able to
> route traffic generated by proxies on my
> firewall on the basis of destination port in combination with destination
> address. It could/should work like this
> (the IP addresses are 'random'):
>
> boris:/etc/iproute2 # ip rule
> 0: from all lookup local
> 3000: from all lookup main
> 4000: from all fwmark 1 lookup internet_connection_2
> 5000: from all lookup internet_connection_main
>
> boris:/etc/iproute2 # ip route show table main
> 212.241.155.96/28 dev eth2 proto kernel scope link src 212.241.155.110
> 195.156.176.240/28 dev eth0 proto kernel scope link src 195.156.176.242
> 192.31.141.0/24 dev eth1 proto kernel scope link src 192.31.141.17
> 172.16.0.0/16 dev eth3 proto kernel scope link src 172.16.0.1
>
> boris:/etc/iproute2 # ip route show table internet_connection_main
> default via 195.156.176.254 dev eth0
>
> boris:/etc/iproute2 # ip route show table internet_connection_2
> default via 212.241.155.97 dev eth2
>
> boris:/etc/iproute2 # iptables -t mangle -vnL
> Chain PREROUTING (policy ACCEPT 5000970 packets, 3216012435 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 5786895 packets, 3088500583 bytes)
> pkts bytes target prot opt in out source
> destination
> 1324K 85M MARK tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80 MARK set 0x1
>
> -> So HTTP packets not destined to local subnets pass rule 0 and 3000 and
> are
> (wishfull thinking) send by rule 4000 to the second internet connection
> (internet_connection_2), not the main (default) one. Rule 5000 above is the
> "gateway of last resort" catcher. Rule 3000 (table Main) routes anything
> destined
> to the local subnets (connected to the firewall).
>
> HTTP packets from squid destined to a webserver e.g. on subnet
> 195.156.176.240/28
> (local!) should have as their source address 195.156.176.242. HTTP packets
> from
> squid destined to the internet travelling the second internet connection
> should
> have 212.241.155.110 as their source address. First marking and then calling
> the
> routing code respecting the fwmark rule should assign the right address to
> the
> packets issued by squid. Or not?
>
> Anyone?
>
> Cheers,
>
> Rein
>
>
>
>
>
>
>
>
> -------------------------
> Seneca Groep, Elektronicaweg 31, 2628 XG DELFT
> T: 015 2513700, F: 015 2513701, M: 06 2001 1493
> E: rjfdevries [at] seneca, W: www.seneca.nl
>
>
>

--
Arjan Filius
mailto:iafilius [at] xs4all

iptables user RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.