Routing via fwmark

Routing via fwmark

Post by Fred Bau » Wed, 23 Jan 2002 00:23:37

I want to route some traffic according to destination port, but
I can't make it work.  I'm using Linux kernel 2.4.16 and
ip iproute2-ss010824.  I believe I have all the routing and
firewall options compiled into the kernel.  If someone knows
how to do this please let me know.

I have two connections to the outside world.
  A dial up analog modem: ppp0
  And a satellite link: eth2
I want everything but DNS requests to go via satellite (eth2)
because of the latency on the satellite.

I did this:

#iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 2
#ip route add default via dev eth2 table default
#ip route del default table main
#ip route add default via dev ppp0 table ppp
#ip rule add fwmark 2 table ppp prio 101
#ip route flush cache

#ip rule ls
0:      from all lookup local
99:     from all lookup main
101:    from all fwmark        2 lookup ppp
110:    from all lookup default

#ip route ls table main via dev eth1 dev ppp0  proto kernel  scope link  src via dev eth2 dev eth1  proto kernel  scope link  src dev eth2  proto kernel  scope link  src dev eth0  proto kernel  scope link  src dev lo  scope link

#ip route ls table ppp
default via dev ppp0

#ip route ls table default
default via dev eth2

#iptables -t mangle -L OUTPUT -v -n
Chain OUTPUT (policy ACCEPT 81085 packets, 12M bytes)
 pkts bytes target     prot opt in     out     source              
 7713  538K MARK       udp  --  *      *           udp dpt:53 MARK set 0x2

eth0      Link encap:Ethernet  HWaddr 00:03:6D:1E:24:E2
          inet addr:  Bcast:
          RX packets:1468813 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1749139 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:10 Base address:0xde00

eth1      Link encap:Ethernet  HWaddr 00:03:6D:1E:3B:A1
          inet addr:  Bcast:
          RX packets:346850 errors:0 dropped:0 overruns:0 frame:0
          TX packets:221788 errors:0 dropped:0 overruns:0 carrier:0
          collisions:38306 txqueuelen:100
          Interrupt:11 Base address:0xda00

eth2      Link encap:Ethernet  HWaddr 00:03:6D:1D:FB:BB
          inet addr:  Bcast:
          RX packets:2241672 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2094453 errors:0 dropped:0 overruns:0 carrier:0
          collisions:225920 txqueuelen:100
          Interrupt:10 Base address:0xd800

lo        Link encap:Local Loopback
          inet addr:  Mask:
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1097978 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1097978 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

ppp0      Link encap:Point-to-Point Protocol
          inet addr:  P-t-P:
          RX packets:5968 errors:1 dropped:0 overruns:0 frame:0
          TX packets:6974 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3

It seems that the DNS packets are trying to go out via eth2 but DNS
working completely.


1. using fwmark routing rule on 2.2.x kernel

I have the problem:
I want to use routing based on some TCP protocol level data - it can be
theoretically done using "ip rule fwmark xxx" and corresponing ipchains
rule(s) (with -m option). In my case packets marked with "-m" option
shuold also be masqueraded.

My routing rules are:

ip ru add prio 100 lookup main
ip ru add prio 150 fwmark 1 lookup A
ip ru add prio 200 lookup B
ip ro flush table cache

both A and B tables contain one entry, let's say:
in A: 0/0 via a.b.c.d
in B: 0/0 via w.x.y.z

(a.b.c.d and w.x.y.z are connected to different router's interfaces)

I added the following ipchains rule (for simplicity condition here is
only destination host, but I need also some port-based conditions):

ipchains -A forward -d -m 1 -j MASQ

In this case packets to are masquraded (and rule counters
are incremented), but they are sent via w.x.y.z (_NOT_ a.b.c.d).

When I also added marking ipchains rule to input chain
(ipchains -A input -d -m 1 -j ACCEPT)
I can see (using tools like tcpdump) masquraded packets sent to via a.b.c.d, responses sent back from a.b.c.d to my router,
but router does not "demasqurade" them - originator receives nothing.
Packets are not rejected, just "anihilated" (??).

All tests were done from another host connected to third router's
interface (different than a.b.c.d and w.x.y.z are connected).
On router I have 2.2.16 kernel, all masqurading/routing options usefull
in that case are enabled (I think so).

Can anyone explain me the correct way using policy routing based on
fwmark ?
BTW: what is the order of interpreting input, forward, output chains and
routing rules during packet forwarding?


Lukasz Engel

2. precompiled ext2 fs progs v0.3c released

3. TOS/FWMARK routing

4. Slashdot down again?

5. Still IRQ routing problems with VIA (was: VIA KT133 chipset P CI crazyness...)

6. login security

7. 2.2.20 fwmark corruption?

8. syslog can you get it to email messages

9. ip rule with fwmark not working in 2.6.31?

10. Selecting fwmark with tcpdump?

11. iproute2, ipchains + fwmark

12. Is there a socket option to set the fwmark?

13. route problem: route forgot to specify route netmask.