Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] SuSEfirewall2 (?) and advanced routing problem.
  • From: Peter Wiersig <wiersig@xxxxxxxxx>
  • Date: Tue, 22 Jan 2002 18:11:04 +0100
  • Message-id: <200201221706.SAA31074@xxxxxxxxxxxxx>
Am Dienstag, 22. Januar 2002 17:11 schrieb Marcin Gryszczuk:
> Peter Wiersig:
> > Am Dienstag, 22. Januar 2002 11:58 schrieb Marcin Gryszczuk:

> > > Problem is that I would like to forward part of the traffic (let say
> > > all squid proxy requests to my external server) via my 2-nd public
> > > interface (eth2). At the moment all traffic goes via default gateway
> > > (eth1). I have tried the example I could find in Adv-routing HOWTO -
> > > routing all SQUID packets to be forwarded via eth2 :
> > >
> > > iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 3128 -j MARK
> > > --set-mark 1
> > >
> > > My rule table looks like:
> > > #ip rule ls
> > > 0: from all lookup local
> > > 32765: from all fwmark 1 lookup ic.out
> > > 32766: from all lookup main
> > > 32767: from all lookup 253
> > >
> > > #ip route ls table ic.out
> > > default via y.y.y.97 dev eth2
> > >
> > > - but it does not work. What is strange I have had SuSe 6.3 before and
> > > under ipchains it worked perfectly!
> >
> >1) What was your ipchains-line which enabled you to make your set up
> >functional?
>
> Oh - very similar in fact to exampled one for iptables:
> ipchains -A input -i eth0 --dport 3128 -p tcp -j ACCEPT -m 1
> (making packets comming from eth0 and destined to any addr to 3128 (SQUID
> proxy server standard port) to be marked with 1)
>
> >2) Are you sure that your proxy host has the right routing table?
>
> Of course - everything was working 3 days ago (before I have made changing
> to 7.3 on my box). Proxy server is just another linux box.


I have another suspicion: Your setup works for the first time ever.

But now you have the problem that your mangleling (or mangling?) strikes
before the masquerading works.

You seem to send out packets with source address 192.168.0.22 and the proxy
responds to this IP, but your kernel thinks that someone attacks your network
with spoofed ip-addresses and logs them as martian-sources.

Like I said, this is my suspicion and I cannot confirm that. It's my idea of
how your networking problem

> My problem is that I can not force SuSE 7.3 to send part of the packet with
> not standard gateway (so if standard is on eth1 then I want to send part of
> the traffic on eth2 with marked packets).
>
> Scheme is little different - shame on me that I did not made it earlier:
>
> /---------\ --eth1 +---------+
> /-----\ | | | |
> |Proxy|----|INTERNET | | SuSE 7.3| eth0 --- Internal LAN
> \-----/ | | | |
> \---------/ --eth2 +---------+

I would recommend that you don't mangle your packets, but that you masquerade
your packets the right way:

iptables -s 192.168.0.0/24 -d 0/0 -j MASQ

and add an host route to the proxy (z.z.z.z) via eth2 with metric 2 and
change the default routes metric to 10.

route add -net 0.0.0.0 gw (IP <eth1>) metric 10
route del -net 0.0.0.0 gw (IP <eth1>) metric 0
route add -host z.z.z.z gw (IP <eth2>) metric 2

The goal is to have now the default gw pointing to the end of eth1 but with
an increased metric and another route to the proxy with a cheaper metric.

Please try this. I tried it and it seemed to work. The difference in this
setup and your setup is that all packets to z.z.z.z will traverse eth2.

Peter

< Previous Next >
Follow Ups