[clug] Routing disconnect

Kim Holburn kim.holburn at anu.edu.au
Fri Jan 23 05:37:26 GMT 2004 

I think this might work but I have no way of testing it.

In recent versions of iptables is a match module called recent.  You can use recent to "mark" packets for a queue. 

iptables -i eth0 -p tcp --dport 80 -d tikiwiki.ip -m recent --set

iptables -A PREROUTING -p tcp --sport 80 -s tikiwiki.ip -m recent --rdest --rcheck -seconds 15 -j MARK --set-mark 1


Then use fwmark 1 in your routing table (from Chapter 11 of lartc):

># echo 201 mail.out >> /etc/iproute2/rt_tables
># ip rule add fwmark 1 table mail.out
># ip rule ls
>0: from all lookup local
>32764: from all fwmark 1 lookup mail.out
>32766: from all lookup main
>32767: from all lookup default
>
>Now we generate a route to the slow but cheap link in the mail.out table:
># /sbin/ip route add default via 195.96.98.253 dev ppp0 table mail.out


The other way is to use routing based on source ip but it's a hassle.   I'm not sure I completely understand your network config anyway.

At 10:12 AM +1100 04/1/23, Doug Palmer wrote:
>My machine lives on an experimental network. I have a PPTP connection
>into the main network, so that I can collect mail, look at shared
>drives, etc. My routing is set up so that most IP traffic goes out
>through the experimental network, except for anything that is destined
>for the main local network.
>
>I recently set up TikiWiki. This all works fine and dandy for me and for
>anyone outside the main local network. But anyone inside the main local
>network can't see it. As far as I can see, what is happening is:
>
>1. Connection to port 80 arrives via eth0 from a main local network
>machine.
>2. Return IP packets go out via ppp0 and the PPTP tunnel.
>3. This runs afoul of some "established connection" filter somewhere and
>the packets get zapped.
>
>I'd rather not turn over the entire existing routing and firewall
>infrastructure to fix this problem. So I was wondering if there is any
>routing software I can use that knows about established connections and
>can route accordingly? Or some other solution, since all I really want
>is traffic that started with a connection to port 80 to go out via a
>specific interface.


-- 
--
Kim Holburn 
Network Consultant - Telecommunications Engineering
Research School of Information Sciences and Engineering
Australian National University - Ph: +61 2 61258620 M: +61 0417820641
Email: kim.holburn at anu.edu.au  - PGP Public Key on request

Life is complex - It has real and imaginary parts.
     Andrea Leistra (rec.arts.sf.written.Robert-jordan)

More information about the linux mailing list