split access routing: how to direct NEW connections

Hi!

Ok, I have what would seem like a really simple setup: a linux machine
(debian woody) with two network cards and split access. One of the split
access connections has a static IP, the other a dynamic IP. I would like
to route default traffic through the dynamic IP but need to route certain
things (specifically SMTP so as not to get killed by RBL/DUL) through the
static IP. I have successfully configured this so it will reply to
incoming connections via the source interface.

Now for the problem: I would like to have all traffic originating on the
linux box and destined for port 25 sent trough the static IP and all
other traffic through dynamic.

I tried this:

# route add default gw "dynamic"
# iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 1
# ip rule add fwmark 1 table static

For some reason I do not understand this fails. The outbound packets are
correctly sent via the static interface as I can verify on the server
being connected to, but the connection is then never established. The
destination server shows the connection hanging in SYN_RECV state.
However, if I set the default gateway to also be the static IP this
works, albeit sluggishly.

Any ideas or suggestions welcome!

Rudolf

--
The biggest spendings on MY credit card are Pizza ...
.... and Patents.
Rudolf, Dec. 15, 2002

Rudolf Potucek wrote:

> ...The outbound packets are
> correctly sent via the static interface as I can verify on the server
> being connected to, but the connection is then never established. The
> destination server shows the connection hanging in SYN_RECV state.

Could it be that the smtp server has a route to your
static IP which goes through your dynamic IP? Or that
its route to your host simply goes to your dynamic IP?
In that case the client sends out SYN on static and
expects a reply on it, the server sends SYN/ACK to the
dynamic, iptables see a SYN/ACK to a SYN that was never
sent out that inteface and drop it, so then both client
and server end up hanging, waiting for the other, until
they time out.

This situation could easily be caused by DNS, if for
instance your static IP starts talking as host.example.com
while host.example.com resolves to your dynamic IP. Try
giving your interfaces different hostnames and see if
it makes any difference.

Z

[Snip]pets of what Zenon Panoussis <(E-Mail Removed)> wrote:

: Rudolf Potucek wrote:
: Could it be that the smtp server has a route to your
: static IP which goes through your dynamic IP? Or that
: its route to your host simply goes to your dynamic IP?
: In that case the client sends out SYN on static and
: expects a reply on it, the server sends SYN/ACK to the
: dynamic, iptables see a SYN/ACK to a SYN that was never
: sent out that inteface and drop it, so then both client
: and server end up hanging, waiting for the other, until
: they time out.

I figured this had to be the case but there is no reason
that the destination should see my machine as anything
other than the static IP ... unless there is another
connection being established via the default GW.

: This situation could easily be caused by DNS, if for
: instance your static IP starts talking as host.example.com
: while host.example.com resolves to your dynamic IP. Try
: giving your interfaces different hostnames and see if
: it makes any difference.

Not in this case because if I set the default GW to the static
IP everything works and there is no change in the DNS behavior.
I shall need to investigate further ...

R

--
The more sophisticated you [become], the less you [rely] on fear and pain
to keep you alive; you [can] afford to ignore them because you [have]
other means of coping with the consequences if things [go] badly wrong.

-- Iain Banks, Look to Windward