This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

2 I*net conn&source policy routing:ASL4 OK-ASL5 KO

Hi guy, here it is a good problem, a lot of time discussed here but
without a good solution, that I found for ASL V.4.
Now I'm using:
ASL 5.100 with full service (IP,SF,etc..)
4 nic: 1 internal, 1 dmz and two nic external (2 connection to xDSL:
xDSLA and xDSLB with two router)

I could use with ASL V.4 source ip route policy without problem, sò a
branch of my lan could use xDSL A and the other xDSL B.

My problem with ASL5.100 is that every x minutes (x very low, only two or
three minutes) checking mangle table I can see that my script settings are lost.

I can not understand which service is doing sò and how can I avoid this.
Anyone can help me ???

--------------------------------------------------------------------------------
Here it is my script:
Normally default route is 192.168.100.1, adding a new table (200) and marking
packet for using that ip route policy table, where default route is 192.168.101.1
--------------------------------------------------------------------------------
fw5:/etc/init.d # cat /var/mdw/scripts/routes_personalized.sh

/sbin/ip rule del fwmark 2 table 200
/sbin/ip route del default via 192.168.101.1 dev eth0 table 200

/usr/sbin/iptables -D PREROUTING -t mangle -s  -j MARK  --set-mark 2
/usr/sbin/iptables -D PREROUTING -t mangle -s  -j MARK  --set-mark 2
/usr/sbin/iptables -D PREROUTING -t mangle -s  -j MARK  --set-mark 2
/usr/sbin/iptables -D PREROUTING -t mangle -s  -j MARK  --set-mark 2

/usr/sbin/iptables -A PREROUTING -t mangle -s  -j MARK  --set-mark 2
/usr/sbin/iptables -A PREROUTING -t mangle -s  -j MARK  --set-mark 2
/usr/sbin/iptables -A PREROUTING -t mangle -s  -j MARK  --set-mark 2
/usr/sbin/iptables -A PREROUTING -t mangle -s  -j MARK  --set-mark 2

/sbin/ip rule add fwmark 2 table 200
/sbin/ip route add default via 192.168.101.1 dev eth0 table 200
/sbin/ip route add router1network dev eth1 scope link table 200
/sbin/ip route add router2network dev eth0 scope link table 200
/sbin/ip route add dmznetwork dev eth2 scope link table 200
/sbin/ip route add lan-network dev eth3 scope link table 200
/sbin/ip route add 127.0.0.0/8 dev lo scope link table 200
/sbin/ip route flush cache

--------------------------------------------------------------------------------
Before running this script I check tha mangle table:
--------------------------------------------------------------------------------
fw5:/etc/init.d # iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            state RELATED helper match "ftp" LOG level info prefix `FTP_DATA: '

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
SET_PRIO_HIGH  tcp  --  anywhere             anywhere            tcp flags:ACK/ACK length 50:100
SET_PRIO_HIGH  all  --  anywhere             anywhere            TOS match Minimize-Delay
SET_PRIO_HIGH  icmp --  anywhere             anywhere

Chain SET_PRIO_HIGH (3 references)
target     prot opt source               destination
CLASSIFY   all  --  anywhere             anywhere            CLASSIFY set 0:8
ACCEPT     all  --  anywhere             anywhere

Chain SET_PRIO_LOW (0 references)
target     prot opt source               destination
CLASSIFY   all  --  anywhere             anywhere            CLASSIFY set 0:5
ACCEPT     all  --  anywher              anywhere

--------------------------------------------------------------------------------
Then run the script:
--------------------------------------------------------------------------------
fw5:/etc/init.d # /var/mdw/scripts/routes_personalized.sh

--------------------------------------------------------------------------------
Check tha mangle table: now I can see my p.r.
--------------------------------------------------------------------------------
fw5:/etc/init.d # iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            state RELATED helper match "ftp" LOG level info prefix `FTP_DATA: '
MARK       all  --   anywhere            MARK set 0x2
MARK       all  --   anywhere            MARK set 0x2
MARK       all  --   anywhere            MARK set 0x2
MARK       all  --   anywhere            MARK set 0x2

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
SET_PRIO_HIGH  tcp  --  anywhere             anywhere            tcp flags:ACK/ACK length 50:100
SET_PRIO_HIGH  all  --  anywhere             anywhere            TOS match Minimize-Delay
SET_PRIO_HIGH  icmp --  anywhere             anywhere

Chain SET_PRIO_HIGH (3 references)
target     prot opt source               destination
CLASSIFY   all  --  anywhere             anywhere            CLASSIFY set 0:8
ACCEPT     all  --  anywhere             anywhere

Chain SET_PRIO_LOW (0 references)
target     prot opt source               destination
CLASSIFY   all  --  anywhere             anywhere            CLASSIFY set 0:5
ACCEPT     all  --  anywhere             anywhere

--------------------------------------------------------------------------------
Wait for some minutes (about 2-5) and check againg mangle table:
--------------------------------------------------------------------------------
fw5:/etc/init.d # iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            state RELATED helper match "ftp" LOG level info prefix `FTP_DATA: '

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
SET_PRIO_HIGH  tcp  --  anywhere             anywhere            tcp flags:ACK/ACK length 50:100
SET_PRIO_HIGH  all  --  anywhere             anywhere            TOS match Minimize-Delay
SET_PRIO_HIGH  icmp --  anywhere             anywhere

Chain SET_PRIO_HIGH (3 references)
target     prot opt source               destination
CLASSIFY   all  --  anywhere             anywhere            CLASSIFY set 0:8
ACCEPT     all  --  anywhere             anywhere

Chain SET_PRIO_LOW (0 references)
target     prot opt source               destination
CLASSIFY   all  --  anywhere             anywhere            CLASSIFY set 0:5
ACCEPT     all  --  anywhere             anywhere

--------------------------------------------------------------------------------
Arrrrrrgggg: As you can see.....All my settings are lost!

Thanks for every suggestion...
Anty

This thread was automatically locked due to age.

Parents

0 ANTY over 20 years ago

Ehi, is out of there someone considering my question?
Cancel
Vote Up 0 Vote Down

Cancel
0 SecApp over 20 years ago in reply to ANTY

Your post got lost in the fray.

Look at routes.local in this Astaro documentation

Take note of their disclaimer...

If you don't want their routes in play, you will have to delete them from the context of this script..

Things get tricky if you are supporting VPN; Astaro adds routes for VPN links as needed, so you have to think about how your routes might interact.

Log your routes (use Bash's >> operator) to follow what is going on...
Cancel
Vote Up 0 Vote Down

Cancel
0 ANTY over 20 years ago in reply to SecApp

Thanks SecApp, but it dosn't work.
it worked for ASL 4, but now I'm using ASL 5.100.
Look @ doc.:

Insert the rules into /sbin/init.d/routes.local

opppsss, in ASL 5 /sbin/init.d don't exist!

Any idea?
Anty
Cancel
Vote Up 0 Vote Down

Cancel
0 SecApp over 20 years ago in reply to ANTY

I seem to remember that init.d was a symbolic link to the directory with Linux's startup scripts.

I am on the road with a simple handheld, so I can't take a look right now; somebody know where that is on 5??
Cancel
Vote Up 0 Vote Down

Cancel
0 ANTY over 20 years ago in reply to SecApp

ASL4 and ASL5 are based on a different linux distro.
Infact in ASL 5 there is a /etc/init.d
I have followed the doc. instructions but it doesn't work correctly. Infact I can see that ip route policy is correctly changed, but the mangle table is not always correct... There is a process interferring with all this, but I can not understand which.
I have seen that when I change someting related to network in webadmin, routes.local is executed and after some seconds mangle table is ok.
But looking @ system.log I can see that when it is executed something like "2005:01:28-10:00:00 (none) /usr/sbin/cron[303]: (*system*) RELOAD (/etc/crontab)" then I can no more see my correct mangle table.
Any help apprecied.
Bye, Anty.
Cancel
Vote Up 0 Vote Down

Cancel
0 ANTY over 20 years ago in reply to ANTY

With such script:
----------------------------------------------------------------------
/sbin/ip rule del from x.x.x.x table 200
/sbin/ip rule del from x.x.x.x table 200
/sbin/ip rule del from x.x.x.x table 200
/sbin/ip rule del from x.x.x.x table 200

/sbin/ip rule add from x.x.x.x table 200
/sbin/ip rule add from x.x.x.x table 200
/sbin/ip rule add from x.x.x.x table 200
/sbin/ip rule add from x.x.x.x table 200

/sbin/ip route add default via 192.168.101.1 dev eth0 table 200
/sbin/ip route add 192.168.100.0/24 dev eth1 scope link table 200
/sbin/ip route add 192.168.101.0/24 dev eth0 scope link table 200
/sbin/ip route add 192.168.119.0/24 dev eth2 scope link table 200
/sbin/ip route add 192.168.114.0/24 dev eth3 scope link table 200
/sbin/ip route add 192.168.109.0/24 dev eth3 scope link table 200
/sbin/ip route add 127.0.0.0/8 dev lo scope link table 200
/sbin/ip route flush cache
----------------------------------------------------------------------
all seems to work.
Only when working with mangle table I have such problem...
I will test more...
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 ANTY over 20 years ago in reply to ANTY

With such script:
----------------------------------------------------------------------
/sbin/ip rule del from x.x.x.x table 200
/sbin/ip rule del from x.x.x.x table 200
/sbin/ip rule del from x.x.x.x table 200
/sbin/ip rule del from x.x.x.x table 200

/sbin/ip rule add from x.x.x.x table 200
/sbin/ip rule add from x.x.x.x table 200
/sbin/ip rule add from x.x.x.x table 200
/sbin/ip rule add from x.x.x.x table 200

/sbin/ip route add default via 192.168.101.1 dev eth0 table 200
/sbin/ip route add 192.168.100.0/24 dev eth1 scope link table 200
/sbin/ip route add 192.168.101.0/24 dev eth0 scope link table 200
/sbin/ip route add 192.168.119.0/24 dev eth2 scope link table 200
/sbin/ip route add 192.168.114.0/24 dev eth3 scope link table 200
/sbin/ip route add 192.168.109.0/24 dev eth3 scope link table 200
/sbin/ip route add 127.0.0.0/8 dev lo scope link table 200
/sbin/ip route flush cache
----------------------------------------------------------------------
all seems to work.
Only when working with mangle table I have such problem...
I will test more...
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 SecApp over 20 years ago in reply to ANTY

Do you have NAT or masquerading rules in play?
Cancel
Vote Up 0 Vote Down

Cancel
0 ANTY over 20 years ago in reply to SecApp

Yes, I have different type of NAT depending on the source address group. But now the things seems to work; only working with mangle table dont' work.
And this because there is some process that rewrite mangle table without restarting /etc/init.d/routes.local
Or perhaps I need to put my personalized mangle definition somewhere else?
Thanks SecApp!
Cancel
Vote Up 0 Vote Down

Cancel
0 SecApp over 20 years ago in reply to ANTY

ipnat.local
Cancel
Vote Up 0 Vote Down

Cancel
0 ANTY over 20 years ago in reply to SecApp

Thanks for this information SecApp,
I have tried it, putting iptables command for modifing mangle table in ipnat.local, but it doesn't seem to work.
I will re-test it again when I will be able to restart the firewall...
Thanks again, Anty
Cancel
Vote Up 0 Vote Down

Cancel