Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: iptables - MAC routing
Special Forums IP Networking iptables - MAC routing Post 302893307 by wabbit02 on Tuesday 18th of March 2014 12:13:07 PM
Old 03-18-2014
iptables - MAC routing
Hi all,

I have a solution where a system can have multiple physical interfaces but a single IP address. I am looking to insert a Squid proxy (that will also perform source NAT), but the return packets must go back to the correct interface.

client network is 10.x.x.x
network between the gateway and squidbox (where I am trying to install
this routing) is 2.0.0.0/24
Squid box has eth2 0.0.0.0
Bridge interface br0 with eth2 as a member and IP address 2.0.0.2/24
The Squidbox then has a second interface on public IP eth3

default route is via eth3

add a route back to the client network:
Code:
#ip ro add 10.1.1.0/24 via 2.0.0.2
iptables -A PREROUTING -t mangle  -m mac --mac-source
aa:aa:aa:aa:aa:aa -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -j CONNMARK --save-mark
iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark

ebtables -t nat -A OUTPUT  -p ipv4 --ip-proto tcp  --mark 1 -j dnat
--to-destination aa:aa:aa:aa:aa:aa

iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE

[root]# cat /proc/net/nf_conntrack
ipv4     2 tcp      6 58 SYN_RECV src=10.1.1.80 dst=212.58.246.91
sport=1864 dport=80 src=212.58.246.91 dst=10.1.1.55 sport=80
dport=1864 mark=0 secmark=0 use=2

The issue seems to be that the Mark is not being restored, a tcpdump on the interfaces shows the flows being forwarded correctly, but without the MAC mangling taking place.


any thoughts on where I am going wrong?
Last edited by Scott; 03-18-2014 at 09:19 PM.. Reason: Please use code tags; Moderator please add code tags
 

4 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Routing or Iptables connections by hostname or ip address

edit; I found a solution that works, see thread #3 https://www.unix.com/302417065-post3.html Hi there, I have a small dedicated server that has four ip addresses and by default my httpd sends request using the servers main ip for all outbound connections. I'm quite amateur at routing and... (4 Replies)
Discussion started by: mooofa
4 Replies

2. Cybersecurity

Configure iptables to allows list of MAC address

Hi all, I want to make this nw diagram: Small NW ---(eth1)-- Linux iptables --(eth0)---LAN NW And with these requirements: 1. Allow only 1 Mac address aa-aa-aa-aa-aa-aa from Small NW to LAN NW 2. Allow list of Mac addresses from LAN NW access to Small NW What will I... (2 Replies)
Discussion started by: blackthu80
2 Replies

3. IP Networking

iptables specific ip routing via tun

hi guys! I was searching few days for a solution to my problem but haven't found one or I'm too dumb to understand. Here's what happened: I have a linux server used as a router. It has an eth0 and eth1 (local interface). I just installed openvpn (I need it only as a client), I configured it and... (0 Replies)
Discussion started by: shamora
0 Replies

4. UNIX for Dummies Questions & Answers

iptables / ip route packet routing with multiple gateways

Hi all. Linux noob here. I was hoping someone could help me with configuring some routing rules on my router, an Asus AC68. The router is connected to two gateways, wan0_gateway and wan1_gateway. I have rules set up in the router gui that will push all traffic from every IP other than my own... (0 Replies)
Discussion started by: Bishi
0 Replies

LEARN ABOUT OPENSOLARIS

tc-fw

Firewall mark classifier in tc(8)                                      Linux                                     Firewall mark classifier in tc(8)

NAME

       fw - fwmark traffic control filter

SYNOPSIS

       tc filter ... fw [ classid CLASSID ] [ action ACTION_SPEC ]

DESCRIPTION

       the fw filter allows to classify packets based on a previously set fwmark by iptables.  If it is identical to the filter's handle, the fil-
       ter matches.  iptables allows to mark single packets with the MARK target, or whole connections using CONNMARK.  The benefit of using  this
       filter  instead of doing the heavy-lifting with tc itself is that on one hand it might be convenient to keep packet filtering and classifi-
       cation in one place, possibly having to match a packet just once, and on the other users familiar with iptables but not tc will have a less
       hard time adding QoS to their setups.

OPTIONS

       classid CLASSID
              Push matching packets to the class identified by CLASSID.

       action ACTION_SPEC
              Apply an action from the generic actions framework on matching packets.

EXAMPLES

       Take e.g. the following tc filter statement:

              tc filter add ... handle 6 fw classid 1:1

       will match if the packet's fwmark value is 6.  This is a sample iptables statement marking packets coming in on eth0:

              iptables -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 6

SEE ALSO

       tc(8), iptables(8), iptables-extensions(8)

iproute2                                                            21 Oct 2015                                  Firewall mark classifier in tc(8)
All times are GMT -4. The time now is 07:40 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy