Login or Register to Ask a Question and Join Our Community


IP Networking

iptables - MAC routing

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums IP Networking iptables - MAC routing
# 1  
Old 03-18-2014
iptables - MAC routing
Hi all,

I have a solution where a system can have multiple physical interfaces but a single IP address. I am looking to insert a Squid proxy (that will also perform source NAT), but the return packets must go back to the correct interface.

client network is 10.x.x.x
network between the gateway and squidbox (where I am trying to install
this routing) is 2.0.0.0/24
Squid box has eth2 0.0.0.0
Bridge interface br0 with eth2 as a member and IP address 2.0.0.2/24
The Squidbox then has a second interface on public IP eth3

default route is via eth3

add a route back to the client network:
Code:
#ip ro add 10.1.1.0/24 via 2.0.0.2
iptables -A PREROUTING -t mangle  -m mac --mac-source
aa:aa:aa:aa:aa:aa -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -j CONNMARK --save-mark
iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark

ebtables -t nat -A OUTPUT  -p ipv4 --ip-proto tcp  --mark 1 -j dnat
--to-destination aa:aa:aa:aa:aa:aa

iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE

[root]# cat /proc/net/nf_conntrack
ipv4     2 tcp      6 58 SYN_RECV src=10.1.1.80 dst=212.58.246.91
sport=1864 dport=80 src=212.58.246.91 dst=10.1.1.55 sport=80
dport=1864 mark=0 secmark=0 use=2

The issue seems to be that the Mark is not being restored, a tcpdump on the interfaces shows the flows being forwarded correctly, but without the MAC mangling taking place.


any thoughts on where I am going wrong?
Last edited by Scott; 03-18-2014 at 09:19 PM.. Reason: Please use code tags; Moderator please add code tags
# 2  
Old 03-18-2014
I don't really understand the point of having a bridge with only one member.

If a connection passes through squid, it will lose any fancy network markings unless you instruct squid itself to add them somehow.
# 3  
Old 03-18-2014
I am hoping that the bridge will give me access to ebtables - which allows the mangling of the MAC. In this case its more of a logical interface.
# 4  
Old 03-18-2014
Sounds like something we did to avoid manual router config for odd IP destinations: add entries to the ARP server on any local host so packets to an additional IP device installed in a host on the local net would be directed on that host's local net IP/MAC. Once these packets rise through the ethernet layer into the IP Stack, it recognizes them as local and delivers them without IP forwarding.
# 5  
Old 03-19-2014
I believe I have bound the solution using shorewall - and replicated it using iptabels.

the following config seems to yeld results - however I have not been able to find any good description for the use of nfmask and ctmask

Code:
iptables -t mangle -A POSTROUTING -m mark --mark 0x0/0xff -j CONNMARK --restore-mark --nfmask 0xff --ctmask 0xff
iptables -t mangle -A POSTROUTING -m mark ! --mark 0x0/0xff -j RETURN

iptables -t mangle -A PREROUTING -m mac --mac-source aa:aa:aa:aa:aa:aa -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -m mark ! --mark 0x0/0xff -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
iptables -t mangle -A PREROUTING -m mark ! --mark 0x0/0xff -j RETURN

ebtables -t nat -A OUTPUT -p IPv4 --ip-proto tcp --mark 2 -j dnat --to-dst aa:aa:aa:aa:aa:aa --dnat-target ACCEPT

Does anyone have a good description (or link to).
Login or Register to Ask a Question

Previous Thread | Next Thread

4 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

iptables / ip route packet routing with multiple gateways

Hi all. Linux noob here. I was hoping someone could help me with configuring some routing rules on my router, an Asus AC68. The router is connected to two gateways, wan0_gateway and wan1_gateway. I have rules set up in the router gui that will push all traffic from every IP other than my own... (0 Replies)
Discussion started by: Bishi
0 Replies

2. IP Networking

iptables specific ip routing via tun

hi guys! I was searching few days for a solution to my problem but haven't found one or I'm too dumb to understand. Here's what happened: I have a linux server used as a router. It has an eth0 and eth1 (local interface). I just installed openvpn (I need it only as a client), I configured it and... (0 Replies)
Discussion started by: shamora
0 Replies

3. Cybersecurity

Configure iptables to allows list of MAC address

Hi all, I want to make this nw diagram: Small NW ---(eth1)-- Linux iptables --(eth0)---LAN NW And with these requirements: 1. Allow only 1 Mac address aa-aa-aa-aa-aa-aa from Small NW to LAN NW 2. Allow list of Mac addresses from LAN NW access to Small NW What will I... (2 Replies)
Discussion started by: blackthu80
2 Replies

4. UNIX for Dummies Questions & Answers

Routing or Iptables connections by hostname or ip address

edit; I found a solution that works, see thread #3 https://www.unix.com/302417065-post3.html Hi there, I have a small dedicated server that has four ip addresses and by default my httpd sends request using the servers main ip for all outbound connections. I'm quite amateur at routing and... (4 Replies)
Discussion started by: mooofa
4 Replies
Login or Register to Ask a Question