Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: iptables - MAC routing
Special Forums IP Networking iptables - MAC routing Post 302893307 by wabbit02 on Tuesday 18th of March 2014 12:13:07 PM
Old 03-18-2014
iptables - MAC routing
Hi all,

I have a solution where a system can have multiple physical interfaces but a single IP address. I am looking to insert a Squid proxy (that will also perform source NAT), but the return packets must go back to the correct interface.

client network is 10.x.x.x
network between the gateway and squidbox (where I am trying to install
this routing) is 2.0.0.0/24
Squid box has eth2 0.0.0.0
Bridge interface br0 with eth2 as a member and IP address 2.0.0.2/24
The Squidbox then has a second interface on public IP eth3

default route is via eth3

add a route back to the client network:
Code:
#ip ro add 10.1.1.0/24 via 2.0.0.2
iptables -A PREROUTING -t mangle  -m mac --mac-source
aa:aa:aa:aa:aa:aa -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -j CONNMARK --save-mark
iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark

ebtables -t nat -A OUTPUT  -p ipv4 --ip-proto tcp  --mark 1 -j dnat
--to-destination aa:aa:aa:aa:aa:aa

iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE

[root]# cat /proc/net/nf_conntrack
ipv4     2 tcp      6 58 SYN_RECV src=10.1.1.80 dst=212.58.246.91
sport=1864 dport=80 src=212.58.246.91 dst=10.1.1.55 sport=80
dport=1864 mark=0 secmark=0 use=2

The issue seems to be that the Mark is not being restored, a tcpdump on the interfaces shows the flows being forwarded correctly, but without the MAC mangling taking place.


any thoughts on where I am going wrong?
Last edited by Scott; 03-18-2014 at 09:19 PM.. Reason: Please use code tags; Moderator please add code tags
 

4 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Routing or Iptables connections by hostname or ip address

edit; I found a solution that works, see thread #3 https://www.unix.com/302417065-post3.html Hi there, I have a small dedicated server that has four ip addresses and by default my httpd sends request using the servers main ip for all outbound connections. I'm quite amateur at routing and... (4 Replies)
Discussion started by: mooofa
4 Replies

2. Cybersecurity

Configure iptables to allows list of MAC address

Hi all, I want to make this nw diagram: Small NW ---(eth1)-- Linux iptables --(eth0)---LAN NW And with these requirements: 1. Allow only 1 Mac address aa-aa-aa-aa-aa-aa from Small NW to LAN NW 2. Allow list of Mac addresses from LAN NW access to Small NW What will I... (2 Replies)
Discussion started by: blackthu80
2 Replies

3. IP Networking

iptables specific ip routing via tun

hi guys! I was searching few days for a solution to my problem but haven't found one or I'm too dumb to understand. Here's what happened: I have a linux server used as a router. It has an eth0 and eth1 (local interface). I just installed openvpn (I need it only as a client), I configured it and... (0 Replies)
Discussion started by: shamora
0 Replies

4. UNIX for Dummies Questions & Answers

iptables / ip route packet routing with multiple gateways

Hi all. Linux noob here. I was hoping someone could help me with configuring some routing rules on my router, an Asus AC68. The router is connected to two gateways, wan0_gateway and wan1_gateway. I have rules set up in the router gui that will push all traffic from every IP other than my own... (0 Replies)
Discussion started by: Bishi
0 Replies

LEARN ABOUT OPENSOLARIS

ip6tables-save

IPTABLES-SAVE(8)                                                  iptables 1.6.1                                                  IPTABLES-SAVE(8)

NAME

       iptables-save -- dump iptables rules to stdout

       ip6tables-save -- dump iptables rules to stdout

SYNOPSIS

       iptables-save [-M modprobe] [-c] [-t table]

       ip6tables-save [-M modprobe] [-c] [-t table]

DESCRIPTION

       iptables-save  and ip6tables-save are used to dump the contents of IP or IPv6 Table in easily parseable format to STDOUT. Use I/O-redirect-
       ion provided by your shell to write to a file.

       -M, --modprobe modprobe_program
              Specify the path to the modprobe program. By default, iptables-save will inspect /proc/sys/kernel/modprobe  to  determine  the  exe-
              cutable's path.

       -c, --counters
              include the current values of all packet and byte counters in the output

       -t, --table tablename
              restrict output to only one table. If not specified, output includes all available tables.

BUGS

       None known as of iptables-1.2.1 release

AUTHORS

       Harald Welte <laforge@gnumonks.org>
       Rusty Russell <rusty@rustcorp.com.au>
       Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.

SEE ALSO

       iptables-apply(8),iptables-restore(8), iptables(8)

       The  iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the
       internals.

iptables 1.6.1                                                                                                                    IPTABLES-SAVE(8)
All times are GMT -4. The time now is 02:47 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy