IPChains, FWMark, and Policy Routing...
Wed, 15 Aug 2001 13:25:32 -0700 (PDT)
--- "Michael H. Warfield" <firstname.lastname@example.org> wrote:
> Hello all...
> I've been beating this problem every which way and finally have to
> ask for some help...
> Here is my problem.
> I'm working on transitioning my firewall to 2.4.x (currently trying
> to work with 2.4.8). For a variety of reasons, I need to maintain some
> backward compatibility to 2.2.19, at least for a short while. Basically
> I need to be able to dual boot back to 2.2.19 while diagnosing OTHER
> problems associated with VPNs and device drivers (I'm the kernel maintainer
> for the serial port driver). Consequently, I have to stick with the
> ipchains module, at least for the short term or have to have two sets
> of firewall rules (one for IPChains and one for netfilter) and keep them
> in sync.
I may be biased, but IMNSHO you should really use iptables to do
your firewalling; iptables, AFAICS, is much better suited for this sort of
> The system has multiple ISDN lines, plus several ethernet
> interfaces, including one that is a broadband interface. One of the
> ISDN lines is the default route to the internet and serves to route
> a large block of fixed addresses to my site for research purposes.
> One of the things I have been doing with policy routing is
> to masquerade certain services (http, dns, ntp) and certain entire
> systems inside the firewall over to the broadband interface and out the
> nice fat (unreliable, single dynamic address) pipe while reserving my
> more limited (reliable, multiple static addresses) ISDN lines and
> static addresses for less bandwidth intensive uses.
> So... This works under 2.2.19. I use IPChains to mark the packet
> with a firewall mark and masquerade it and I use ip policy routing to
> ship it out through the broadband interface on eth0.
> Here are some specific examples (http specifically) from my scripts:
> In my ipchains startup:
> ipchains -A pol_inp -s 18.104.22.168/20 -d 0/0 80 -p 6 -j MASQ -m 5
> ipchains -A pol_fwd -s 22.214.171.124/20 -d 0/0 80 -p 6 -j MASQ -m 5
> pol_inp is linked to the input chain and pol_fwd is linked on the
> forward chain. Yes, I realized that having both the "-J MASQ" and "-m 5"
> on both rules is unnecessary, but that doesn't seem to be the source of the
> problem (later) with 2.4.8 and doesn't seem to break anything obvious.
> The following is performed by dhcpcd when he gets a lease and an
> address from the broadband...
> ip route add default via $GATEWAY table 4
> ip rule add from $IPADDR table 4
> ip rule add prio 300 from 126.96.36.199/20 fwmark 5 table 4 nat $IPADDR
> ip route flush cache
> IPADDR is the address of the broadband interface and GATEWAY is
> the next hop gateway out through that address.
> Now... This all works like a charm on 2.2.19. It even works
> perfect when dhcpcd gets told to change the interface address (I left
> off the commands that clean up the old entries before adding the
> new entries - accept that it is there and it works).
> Now... This doesn't work with 2.4.8 and the ipchains module.
> Instead of being MASQed out the broadband interface, it is MASQed but
> out the ISDN interface and out the PPP default route instead. It's almost
> as if the firewall mark was either not being set in the ipchains module
> properly or not being recognized in the policy routing.
Well, first you should make sure that /proc/sys/net/ipv4/ip_forward
is set to 1. Next, did you enable the routing classifiers/algorithms under
"Networking options -> QoS and/or fair queueing" in the 2.4.8 kernel source?
IMHO you may also need to maintain two sets of the iproute2 package: one for
2.2's QoS stuff and one for 2.4's QoS stuff.
> Before anyone chimes in about past messages... I've been over the
> related messages in the past. Most of them refer to iptables and I've
> checked over the advice in them. Yes, I've checked (and set) ALL of the
> rp_filter entries in /proc to 0.
Somehow I don't think this would be a problem. AFAIK, rp_filter is
for weird packets with things like spoofed CIDR addresses. IMHO this should
not be a problem.
> I really would like to avoid having two sets of firewall rules
> during a transitional time. Assuming (and from other messages on this
> list, I think it's a very safe assumption) that this is working with
> iptables, does anyone know why it isn't working with ipchains or how
> to get it working with the ipchains module in netfilter?
Permanent e-mail: email@example.com
Current e-mail: firstname.lastname@example.org
Reply to the address I used in the message to you,
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger