Am Dienstag, 22. Januar 2002 17:11 schrieb Marcin Gryszczuk:
Peter Wiersig:
Am Dienstag, 22. Januar 2002 11:58 schrieb Marcin Gryszczuk:
Problem is that I would like to forward part of the traffic (let say all squid proxy requests to my external server) via my 2-nd public interface (eth2). At the moment all traffic goes via default gateway (eth1). I have tried the example I could find in Adv-routing HOWTO - routing all SQUID packets to be forwarded via eth2 :
iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 3128 -j MARK --set-mark 1
My rule table looks like: #ip rule ls 0: from all lookup local 32765: from all fwmark 1 lookup ic.out 32766: from all lookup main 32767: from all lookup 253
#ip route ls table ic.out default via y.y.y.97 dev eth2
- but it does not work. What is strange I have had SuSe 6.3 before and under ipchains it worked perfectly!
1) What was your ipchains-line which enabled you to make your set up functional?
Oh - very similar in fact to exampled one for iptables: ipchains -A input -i eth0 --dport 3128 -p tcp -j ACCEPT -m 1 (making packets comming from eth0 and destined to any addr to 3128 (SQUID proxy server standard port) to be marked with 1)
2) Are you sure that your proxy host has the right routing table?
Of course - everything was working 3 days ago (before I have made changing to 7.3 on my box). Proxy server is just another linux box.
I have another suspicion: Your setup works for the first time ever. But now you have the problem that your mangleling (or mangling?) strikes before the masquerading works. You seem to send out packets with source address 192.168.0.22 and the proxy responds to this IP, but your kernel thinks that someone attacks your network with spoofed ip-addresses and logs them as martian-sources. Like I said, this is my suspicion and I cannot confirm that. It's my idea of how your networking problem
My problem is that I can not force SuSE 7.3 to send part of the packet with not standard gateway (so if standard is on eth1 then I want to send part of the traffic on eth2 with marked packets).
Scheme is little different - shame on me that I did not made it earlier:
/---------\ --eth1 +---------+ /-----\ | | | | |Proxy|----|INTERNET | | SuSE 7.3| eth0 --- Internal LAN \-----/ | | | | \---------/ --eth2 +---------+
I would recommend that you don't mangle your packets, but that you masquerade your packets the right way: iptables -s 192.168.0.0/24 -d 0/0 -j MASQ and add an host route to the proxy (z.z.z.z) via eth2 with metric 2 and change the default routes metric to 10. route add -net 0.0.0.0 gw (IP <eth1>) metric 10 route del -net 0.0.0.0 gw (IP <eth1>) metric 0 route add -host z.z.z.z gw (IP <eth2>) metric 2 The goal is to have now the default gw pointing to the end of eth1 but with an increased metric and another route to the proxy with a cheaper metric. Please try this. I tried it and it seemed to work. The difference in this setup and your setup is that all packets to z.z.z.z will traverse eth2. Peter