routeing, SNAT, MASQ, and fwmark

Stephen Frost sfrost@snowman.net
Sun, 26 Nov 2000 12:31:51 -0500


--TOcFo/l1T3s1H/TJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

	Perhaps I can shed a bit more light here.  The problem appears to be,
for me, that MASQ'ing and SNAT'ing don't remember the outbound connection w=
hen
it was gotten to via fwmark when it comes back.

I'm running 2.4.0test11-ac3 on the router/masq'er.  All the other machines =
are
2.2 kernels.  I'm using the debian iptables package version 1.1.2-1.0, whic=
h is
based off of the 1.1.2 Oct. 11th 2000 release.

Here's the setup:

----------    ------------------   ----------   ----------
| client |----| router/masq'er |---| router |---| server |
----------    ------------------   ----------   ----------
         /\  /\                /\ /\        /\
tcpdumps ||  ||                || ||        ||
         1   2                 3  4         5

Routing via fwmark config:
ip ru add fwmark 1 table outbound
ip route add default via 'router' dev eth2 table outbound

iptables config:
iptables -t mangle -A PREROUTING -s 'client lan'/27 -j MARK --set-mark 1
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

In english:
For anything comeing off of the client lan, mark it with '1'.
Route anything with a mark of '1' out eth2 to the default router on that se=
gment
MASQ anything going out eth2

What I see:
1: client->server icmp echo request
2: client->server icmp echo request
3: router/masq'er->server icmp echo request
4: router/masq'er->server icmp echo request
5: router/masq'er->server icmp echo request
5: server->router/masq'er icmp echo reply
4: server->router/masq'er icmp echo reply
3: server->router/masq'er icmp echo reply
3: (off-and-on) server->client icmp echo reply

And that's it.  It never makes it back to point 2.

I'm not sure what the last thing means.  It *looks* like somehow tcpdump is
seeing the same stuff twice.  Here's an example of what I'm talking about:

-------------------------------------------------------
12:17:32.779382 router/masq'er > server: icmp: echo request
12:17:32.780669 server > client: icmp: echo reply
12:17:33.730508 router/masq'er > server: icmp: echo request
12:17:33.731787 server > router/masq'er: icmp: echo reply
12:17:34.720741 router/masq'er > server: icmp: echo request
12:17:34.721808 server > router/masq'er: icmp: echo reply
12:17:35.650296 router/masq'er > server: icmp: echo request
12:17:35.651580 server > client: icmp: echo reply
12:17:36.611582 router/masq'er > server: icmp: echo request
12:17:36.612646 server > client: icmp: echo reply
-------------------------------------------------------

What I don't understand is: If tcpdump is seeing the packets before and
after they've been unmasq'ed, then they *are* getting unmasq'ed and it
would likely be a problem in the routing code, but I can't imagine what
it would be, it's a directly connected interface, and I have set
/proc/sys/net/ipv4/ip_forward to 1.

Notes:=20
* client's default route is router/masq'er
* The router/masq'er actually has an interface on the server lan
* Without the fwmark routeing the router/masq'er would masq and send the
  echo request out the server interface

	Suggestions?  I am more than happy to provide any more information
if it would be useful.

		Thanks,

			Stephen

--TOcFo/l1T3s1H/TJ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6IUkGrzgMPqB3kigRAu6uAJ99aQqOE01hNHZTTpjbTuDNyFghFgCfdfg4
MaZJdo19xvHyBqU5hZz8RGU=
=s5ZS
-----END PGP SIGNATURE-----

--TOcFo/l1T3s1H/TJ--