[PLUG] Routing problem...

drew wymore drew.wymore at gmail.com
Wed Dec 23 06:09:25 UTC 2009 

On Tue, Dec 22, 2009 at 9:56 PM, wes <plug at the-wes.com> wrote:

> On Tue, Dec 22, 2009 at 12:50 PM, Michael Robinson <
> plug_1 at robinson-west.com
> > wrote:
>
> > > what DOES happen when the destination is 192.168.1.0/24? Can you
> provide
> > a
> > > traceroute?
> > >
> > > I don't know what "table 3" means, but I'm pretty sure that if it
> doesn't
> > > show up in "ip route list" it's not going to be effective.
> > >
> > > >From the ip(8) man page:
> > >
> > > ...
> > > Route tables: Linux-2.x can pack routes  into  several  routing  tables
> > > identified  by  a number in the range from 1 to 255 or by name from the
> > > file /etc/iproute2/rt_tables main table (ID 254) and  the  kernel  only
> > > uses this table when calculating routes.
> > > ...
> > >
> > > On my system, ip route list gives the same output as ip route list
> table
> > > 254. I would expect the same result on your system.
> > >
> > > -wes
> >
> > Dodo is a Fedora Core 1 network root system:
> > Linux dodo.w2.robinson-west.pri 2.4.22-1.2115.nptlcustom2 #1 Sun Jun 29
> > 20:59:36 PDT 2008 i686 i686 i386 GNU/Linux
> >
> > [root at dodo firewall]# ping -c3 192.168.1.1
> > connect: Network is unreachable
> > [root at dodo firewall]#
> >
> > [root at dodo firewall]# ip rule show
> > 0:      from all lookup local
> > 32764:  from all fwmark 0x3 lookup 3
> > 32765:  from all fwmark 0x2 lookup 2
> > 32766:  from all lookup main
> > 32767:  from all lookup 253
> > [root at dodo firewall]#
> >
> > [root at dodo firewall]# ip route show table local
> > local 192.168.3.1 dev eth0  proto kernel  scope host  src 192.168.3.1
> > local 192.168.3.17 dev eth0  proto kernel  scope host  src 192.168.3.17
> > broadcast 192.168.3.0 dev eth0  proto kernel  scope link  src
> > 192.168.3.1
> > broadcast 192.168.3.16 dev eth0  proto kernel  scope link  src
> > 192.168.3.17
> > broadcast 192.168.0.255 dev eth1  proto kernel  scope link  src
> > 192.168.0.2
> > broadcast 127.255.255.255 dev lo  proto kernel  scope link  src
> > 127.0.0.1
> > local 192.168.5.2 dev eth1  proto kernel  scope host  src 192.168.5.2
> > local 192.168.5.3 dev eth1  proto kernel  scope host  src 192.168.5.2
> > local 192.168.5.4 dev eth1  proto kernel  scope host  src 192.168.5.2
> > broadcast 192.168.4.15 dev eth2  proto kernel  scope link  src
> > 192.168.4.1
> > broadcast 192.168.4.0 dev eth2  proto kernel  scope link  src
> > 192.168.4.1
> > broadcast 192.168.0.0 dev eth1  proto kernel  scope link  src
> > 192.168.0.2
> > local 192.168.4.1 dev eth2  proto kernel  scope host  src 192.168.4.1
> > local 192.168.0.2 dev eth1  proto kernel  scope host  src 192.168.0.2
> > broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
> > broadcast 192.168.3.15 dev eth0  proto kernel  scope link  src
> > 192.168.3.1
> > broadcast 192.168.3.31 dev eth0  proto kernel  scope link  src
> > 192.168.3.17
> > local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
> > broadcast 192.168.5.15 dev eth1  proto kernel  scope link  src
> > 192.168.5.2
> > local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1
> > [root at dodo firewall]#
> >
> > [root at dodo firewall]# ip route show table 3
> > 192.168.1.0/24 via 192.168.3.2 dev eth0
> > [root at dodo firewall]#
> >
> > [root at dodo firewall]# ip route show table 2
> > 192.168.1.0/24 via 192.168.3.18 dev eth0
> > [root at dodo firewall]#
> >
> > [root at dodo firewall]# ip route show table main
> > 192.168.4.16/28 via 192.168.4.2 dev eth2
> > 192.168.4.0/28 dev eth2  scope link
> > 192.168.5.0/28 dev eth1  proto kernel  scope link  src 192.168.5.2
> > 192.168.3.0/28 dev eth0  proto kernel  scope link  src 192.168.3.1
> > 192.168.4.48/28 via 192.168.4.2 dev eth2
> > 192.168.3.16/28 dev eth0  scope link
> > 192.168.4.32/28 via 192.168.4.2 dev eth2
> > 192.168.0.0/24 dev eth1  scope link
> > 127.0.0.0/8 dev lo  scope link
> > [root at dodo firewall]#
> >
> > [root at dodo firewall]# ip route show table 253
> > [root at dodo firewall]#
> >
> > [root at dodo firewall]# iptables -nvL -t mangle
> > Chain PREROUTING (policy ACCEPT 576K packets, 127M bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >   879 66553 MARK       all  --  *      *       0.0.0.0/0
> > 0.0.0.0/0          MAC 00:02:E3:02:C8:8F MARK set 0x3
> >  144 10713 MARK       all  --  *      *       0.0.0.0/0
> > 0.0.0.0/0          MAC 00:40:F4:2D:AF:5C MARK set 0x2
> >   95 29259 MARK       all  --  *      *       0.0.0.0/0
> > 0.0.0.0/0          MARK set 0x3
> >
> > Chain INPUT (policy ACCEPT 576K packets, 127M bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >
> > Chain FORWARD (policy ACCEPT 178 packets, 52674 bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >
> > Chain OUTPUT (policy ACCEPT 552K packets, 151M bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >
> > Chain POSTROUTING (policy ACCEPT 552K packets, 151M bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> > [root at dodo firewall]#
> >
> > If I understand things correctly, when fwmark 0x3 is seen
> > routing table 3 should be used and when fwmark 0x2 is seen
> > routing table 2 should be used.
> >
> > If I do:
> >
> > ip rule add table 2
> > or
> > ip rule add table 3
> >
> > then this table will get used and ping works.
> >
> > I can't hard wire the route, sometimes packets will come from
> > web and sometimes they will come from xerxes.  Which
> > is why I have mac_route added to the firewall:
> >
> > [root at dodo firewall]# cat mac_route
> > iptables -t mangle -A PREROUTING -m mac --mac-source 00:02:E3:02:C8:8F \
> >                   -j MARK --set-mark 3
> >
> > iptables -t mangle -A PREROUTING -m mac --mac-source 00:40:F4:2D:AF:5C \
> >                   -j MARK --set-mark 2
> > [root at dodo firewall]#
> >
> > The following is route_web.bash:
> >
> > #!/bin/bash
> > #
> > PATH=/sbin:/usr/bin
> >
> > # Get line count PREROUTING -t mangle...
> > line_count=`iptables -nvL PREROUTING -t mangle|wc -l|tr -d ' '`
> > let line_count-=2
> >
> > if [ "$line_count" == "2" ]
> > then
> >      iptables -t mangle -I PREROUTING 3 -j MARK --set-mark 2
> > else
> >      iptables -t mangle -R PREROUTING 3 -j MARK --set-mark 2
> > fi
> >
> > The following is route_xerxes.bash:
> >
> > #!/bin/bash
> > #
> > PATH=/sbin:/usr/bin
> >
> > # Get line count PREROUTING -t mangle...
> > line_count=`iptables -nvL PREROUTING -t mangle|wc -l|tr -d ' '`
> > let line_count-=2
> >
> > if [ "$line_count" == "2" ]
> > then
> >      iptables -t mangle -I PREROUTING 3 -j MARK --set-mark 3
> > else
> >      iptables -t mangle -R PREROUTING 3 -j MARK --set-mark 3
> > fi
> >
> > The following is the portion of the firewall that manipulates the
> > routing tables:
> >                  ...
> >     export lan_net="192.168.1.0/24"
> >                  ...
> >             export w1nweb="192.168.3.18"
> >             export w1nxer="192.168.3.2"
> >
> > ip route flush table 2
> > ip route flush table 3
> >
> > ip route add $lan_net dev eth0 via $w1nweb table 2
> > ip route add $lan_net dev eth0 via $w1nxer table 3
> >
> > ip rule add fwmark 2 table 2
> > ip rule add fwmark 3 table 3
> >
> > As far as traceroute, Network is unreachable doesn't seem traceable.
> >
> > Another routing table can get used, the problem is that the MARK
> > applied to packets in the PREROUTING chain of the mangle table
> > never seems to trigger use of the appropriate table.  I'm beginning
> > to wonder if there is some sysctl option breaking this or something
> > similar.
> >
> > _______________________________________________
> > PLUG mailing list
> > PLUG at lists.pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
>
>
> well, I'm glad you included more information, but like Mike, your situation
> is now way over my head. I agree with him that it would be in your best
> interests to attempt to simplify your network configuration. but, if this
> is
> the way you need it to be, then you should be prepared for this kind of
> consequence that occurs naturally as a result of complexity.
>
> -wes
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>

Why not just add a route statement in one of your startup scripts? It's a
kludgy hack but it gets the job done.

Drew-

More information about the PLUG mailing list