Wednesday, September 05, 2012

fwmark not run?

Hi

I have a problem with firewall iptables and routing rules (iproute2). I
describe my case:

Debian 4 --> Upgraded to Debian 6.0.5. In debian 4 all run ok. In Debian
6.0.5...

I have three routing tables tb1, tb2 and tb3. These tables havea default
route through a adsl1, adsl2 and adsl3respectively. The routing tables
and routes are working properly.

The firewall (machine) worksas a router for five different networks with
5 different eth interfaces. eth1 (net1), eth2(net2), eth3(adsl3), eth4 (
to adsl1 and adsl2)

I need the traffic passing through the firewall (forward) from the red1
go through the adsl1 if the destination port is 22 or 500 for example
but if the destination port is another go to adsl3.

I need the traffic passing through the firewall (forward) from the red2
go through the adsl2 if the destination port is 22 or 500 for example
but if the destination port is another go to adsl3.

I have created some rules in the firewall within the mangle table
PREROUTING chain to mark packets before the routing decision.

#network2 marked with 2

iptables -t mangle -A PREROUTING -s 10.29.0.0/255.255.255.0 -p tcp -m
tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j MARK
--set-mark 0x2
iptables -t mangle -A PREROUTING -s 10.29.0.0/255.255.255.0 -p udp -m
udp -m multiport --dports 500,4500 -m state --state
NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x2
iptables -t mangle -A OUTPUT -s 10.29.0.0/255.255.255.0 -p tcp -m tcp
--dport 22 -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x2
iptables -t mangle -A OUTPUT -s 10.29.0.0/255.255.255.0 -p udp -m udp -m
multiport --dports 500,4500 -m state --state NEW,RELATED,ESTABLISHED -j
MARK --set-mark 0x2

#all packets (network1 included) marked with 1
iptables -t mangle -A PREROUTING -p tcp -m tcp -m multiport --dports
22,22022,16022,1723 -m state --state NEW,RELATED,ESTABLISHED -j MARK
--set-mark 0x1
iptables -t mangle -A PREROUTING -p udp -m udp -m multiport --dports
500,4500 -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -p tcp -m tcp -m multiport --dports
22,22022,16022,1723 -m state --state NEW,RELATED,ESTABLISHED -j MARK
--set-mark 0x1
iptables -t mangle -A OUTPUT -p udp -m udp -m multiport --dports
500,4500 -m state --state NEW,RELATED,ESTABLISHED -j MARK --set-mark 0x1

And I have created some rules in table nat

iptables -t nat -A POSTROUTING -o eth4 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE

Ok. I have some ip rules too.

# ip rule
0: from all lookup local
30010: from all fwmark 0x2 lookup adsl2
30020: from all fwmark 0x1 lookup adsl1
30030: from 10.0.2.0/24 lookup adsl3
30040: from 10.0.1.0/24 lookup adsl3
30060: from all lookup main
30070: from all lookup default

Ok. Does anyone know what I can be doing wrong? Did you change the way
marked on the iptables firewall?

I log the packets in the system log that are marked with 1 or 2 and the
logs show that there is traffic being marked with 1 and 2 but after that
traffic is not sent to the correct routing tables. ¿Is a bug in ip rule
or something? The log

Sep 5 15:24:55 firewall kernel: [1883719.204551] fwmark 1: IN=eth1 OUT=
MAC=00:18:8b:f9:f3:34:00:24:8c:de:c8:fb:08:00 SRC=10.0.1.153
DST=192.168.100.139 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=1436 DF
PROTO=TCP SPT=57856 DPT=22 WINDOW=16323 RES=0x00 ACK FIN URGP=0 MARK=0x1
Sep 5 15:24:55 firewall kernel: [1883719.205085] fwmark 1: IN=eth1 OUT=
MAC=00:18:8b:f9:f3:34:00:24:8c:de:c8:fb:08:00 SRC=10.0.1.153
DST=192.168.100.139 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=1437 DF
PROTO=TCP SPT=57856 DPT=22 WINDOW=16323 RES=0x00 ACK URGP=0 MARK=0x1
Sep 5 15:25:20 firewall kernel: [1883744.276724] fwmark 2: IN=eth2 OUT=
MAC=00:0d:88:c5:ba:33:20:cf:30:d3:a6:d5:08:00 SRC=10.0.2.226
DST=10.0.2.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=8254 DF PROTO=TCP
SPT=52845 DPT=22 WINDOW=2641 RES=0x00 ACK URGP=0 MARK=0x2
Sep 5 15:25:20 firewall kernel: [1883744.280404] fwmark 2: IN=eth2 OUT=
MAC=00:0d:88:c5:ba:33:20:cf:30:d3:a6:d5:08:00 SRC=10.0.2.226
DST=10.0.2.1 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=8255 DF PROTO=TCP
SPT=52845 DPT=22 WINDOW=2641 RES=0x00 ACK PSH URGP=0 MARK=0x2

Please, I need help with this issue. All my work network is in a
degraded state and I dont know how to solve this issue.

Thanks in advance
(Sorry for my english)

--
-----------------------------------------------------------------
Francisco J. Bejarano
Responsable de Sistemas
Dpt. Sistemas e Infraestructuras
Open Knowledge Network S.L.
francisco.bejarano@openknowledgenetwork.com
Tel. (+34) 902 534 004
Fax. (+34) 917 266 476
-----------------------------------------------------------------


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/504755EF.5000908@openknowledgenetwork.com

No comments:

Post a Comment