source based routing help needed

I've been doing linux for a long time, but never have gotten the hang of
source based routing. I need to set this up now so I am seeing if someone
can help me out... I've seen lots of examples using ppp0/ppp1 and ip
addresses... but I just can't get a handle on this for my setup.

I have
eth0 ( local network )
tun1 ( web server traffic that comes in via a tunnel )

any traffic that comes in via the tun1 interface needs to go
back out the tun1 interface.

any traffic that comes in on the eth0 interface needs to go back
out on the eth0 interface.

I have this sort of working using standard routing where the 'default'
route goes over my tunnel so any web traffic that comes in, goes back
out that way correctly and I have my private network stuff set up to
route via eth0. The issue I have with this is that if the web server
does something like a yum update... the default route uses the tunnel
and I want it to use the eth0 interface.

How can I get source based routing to work on just the eth0 / tun1
interfaces?

Thanks - jack



--

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> Jack Snodgrass writes:
Jack> I've been doing linux for a long time, but never have gotten the hang of
Jack> source based routing. I need to set this up now so I am seeing ifsomeone
Jack> can help me out... I've seen lots of examples using ppp0/ppp1 andip
Jack> addresses... but I just can't get a handle on this for my setup.

Jack> I have
Jack> eth0 ( local network )
Jack> tun1 ( web server traffic that comes in via a tunnel )

Jack> any traffic that comes in via the tun1 interface needs to go
Jack> back out the tun1 interface.

Jack> any traffic that comes in on the eth0 interface needs to go back
Jack> out on the eth0 interface.

Jack> I have this sort of working using standard routing where the 'default'
Jack> route goes over my tunnel so any web traffic that comes in, goes back
Jack> out that way correctly and I have my private network stuff set upto
Jack> route via eth0. The issue I have with this is that if the web server
Jack> does something like a yum update... the default route uses the tunnel
Jack> and I want it to use the eth0 interface.

I'm little confused here. if you don't make tunnel 'tun1' default
route, and make 'eth0' instead what happens. I assume following
happens, but I'm not sure, so correct me if I'm wrong:

tun1 - 192.168.1.1/24, eth0 - 10.0.2.1/24 (default route)

so if webserver listening on 192.168.1.1 receives a packet from
10.3.4.5 on tun1, when replies back, reply goes out via eth0 (the
gateway), since 10.3.4.5 belongs to none of the local networks. So
there is absolutely no relation between routing of packet from
10.3.4.5 and packet to 10.3.4.5, right ?

Jack> How can I get source based routing to work on just the eth0 / tun1
Jack> interfaces?

You need to setup some routing rules.

$tun1_gateway - tun1 gateway IPv4 address
$eth0_gateway - eth0 gateway IPv4 address
$tun1_ip - tun1 IPv4 address
$eth0_ip - eth0 IPv4 address

----8<----8<----
root@host # ip route add default via $tun1_gateway table 100
root@host # ip route add default via $eth0_gateway table 101
root@host # ip rule add from $tun1_ip table 100
root@host # ip rule add from $eth0_ip table 101
---->8---->8----

Above commands will create 2 source based rules, which basically
inteneds to route outgoing packet via the interface corresponding to
the packet's source address.

----8<----8<----
root@host # ip route add default via $eth0_gateway
---->8---->8----

And above command will choose eth0 as default route.

For more information, check out LARTC[1].

References:
[1] - http://www.lartc.org/

HTH
- --
Ashish Shukla आशीष श�क�ल http://wahjava.wordpress.com/
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHxwJOHy+EEHYuXnQRAtU4AKDhJ4tKsodayD+vhe92sW D45H4IoACgoI/o
1263r5dvDsQkfu2pjjZTggw=
=tcde
-----END PGP SIGNATURE-----

Hello,

Ashish Shukla wrote :
>
> I'm little confused here. if you don't make tunnel 'tun1' default
> route, and make 'eth0' instead what happens. I assume following
> happens, but I'm not sure, so correct me if I'm wrong:
>
> tun1 - 192.168.1.1/24, eth0 - 10.0.2.1/24 (default route)
>
> so if webserver listening on 192.168.1.1 receives a packet from
> 10.3.4.5 on tun1, when replies back, reply goes out via eth0 (the
> gateway), since 10.3.4.5 belongs to none of the local networks. So
> there is absolutely no relation between routing of packet from
> 10.3.4.5 and packet to 10.3.4.5, right ?

I guess that there is some NAT involved, so routing has to be symmetrical.

> Jack> How can I get source based routing to work on just the eth0 / tun1
> Jack> interfaces?
>
> You need to setup some routing rules.
>
> $tun1_gateway - tun1 gateway IPv4 address
> $eth0_gateway - eth0 gateway IPv4 address
> $tun1_ip - tun1 IPv4 address
> $eth0_ip - eth0 IPv4 address
>
> ----8<----8<----
> root@host # ip route add default via $tun1_gateway table 100
> root@host # ip route add default via $eth0_gateway table 101
> root@host # ip rule add from $tun1_ip table 100
> root@host # ip rule add from $eth0_ip table 101
> ---->8---->8----
>
> Above commands will create 2 source based rules, which basically
> inteneds to route outgoing packet via the interface corresponding to
> the packet's source address.

To do things properly you need to add routes overriding the source-based
default routes in each table when the destination is in a directly
attached network :

$eth0_subnet - IP subnet on eth0
$tun1_subnet - IP subnet or peer address on tun1

ip route add $eth0_subnet dev eth0 table 100
ip route add $tun1_subnet dev tun1 table 101

On Thu, 28 Feb 2008 02:24:21 +0000, Jack Snodgrass wrote:

> I've been doing linux for a long time, but never have gotten the hang of
> source based routing. I need to set this up now so I am seeing if
> someone can help me out... I've seen lots of examples using ppp0/ppp1
> and ip addresses... but I just can't get a handle on this for my setup.
>
> I have
> eth0 ( local network )
> tun1 ( web server traffic that comes in via a tunnel )
>
> any traffic that comes in via the tun1 interface needs to go back out
> the tun1 interface.
>
> any traffic that comes in on the eth0 interface needs to go back out on
> the eth0 interface.
>
> I have this sort of working using standard routing where the 'default'
> route goes over my tunnel so any web traffic that comes in, goes back
> out that way correctly and I have my private network stuff set up to
> route via eth0. The issue I have with this is that if the web server
> does something like a yum update... the default route uses the tunnel
> and I want it to use the eth0 interface.
>
> How can I get source based routing to work on just the eth0 / tun1
> interfaces?
>
> Thanks - jack

Thanks... I kind of sort of came up with something that works... I added
a 100 tunnel entry to my /etc/iproute2/rt_tables file and then I use:

iptables -t mangle -A OUTPUT -p tcp --src 10.10.3.2 --sport 80 -j MARK --
set-mark 0x2
iptables -t mangle -A OUTPUT -p tcp --src 10.10.3.2 --sport 25 -j MARK --
set-mark 0x2
ip rule add fwmark 0x2 table tunnel
ip route add default via 10.10.3.1 table tunnel


and that seems to do the trick. I really only want to do this for web and
mail so specifying the individual ports is fine.... anything that
comes in for those ports from my tunnel get marked and routed back out
the tunnel. everything else ( local network ) just goes over the default
route which happens to be the local network.

--

Jack Snodgrass a écrit :
>
> Thanks... I kind of sort of came up with something that works... I added
> a 100 tunnel entry to my /etc/iproute2/rt_tables file and then I use:
>
> iptables -t mangle -A OUTPUT -p tcp --src 10.10.3.2 --sport 80 -j MARK --
> set-mark 0x2
> iptables -t mangle -A OUTPUT -p tcp --src 10.10.3.2 --sport 25 -j MARK --
> set-mark 0x2
> ip rule add fwmark 0x2 table tunnel
> ip route add default via 10.10.3.1 table tunnel
>
> and that seems to do the trick. I really only want to do this for web and
> mail so specifying the individual ports is fine.... anything that
> comes in for those ports from my tunnel get marked and routed back out
> the tunnel.

This is not what the above rules do. They just mark locally generated
outgoing packets matching specific source address and port. They do not
take on which interface the original packets came from into account.
This would require the use of the iptables 'CONNMARK' target, e.g. :

# mark incoming connections received on tun1
iptables -t mangle -A PREROUTING -i tun1 -m state --state NEW,RELATED \
-j CONNMARK --set-mark 0x2
# copy the connection mark to outgoing packets
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark