2013. február 15., péntek

Policy routing script doesn't work on Ubuntu

We've recently switched a gateway server from Debian to Ubuntu and to my greatest surprise, my little neat policy routing doesn't work on it.
The issue is almost the same as detailed here
I've found an interesting comment:
Remember that Ubuntu enables reverse path filtering by default. Reverse path filtering works as follow: When the kernel receives a packet (may it be forwarded or not) from an interface A, it will invert the source address and the destination address, and check if the resulting packet should be routed through interface A. If it isn't, the packet is dropped as a address spoofing attempt. For packets received from eth0, this is not a problem. For packets received from eth1, this is also not a problem, because when reversing the source ip address and the destination ip address, the kernel will it the default route in table main. For packets received from eth2, which you do not mark, this is a problem, because the kernel will hit the default route in table main, and consider that these packets should have been received from eth1.

Wow, that would be the cause of the problem. So I added to my existing...

PPP0GW=`ifconfig | grep -A1 ppp0 | tail -1 | cut -d : -f3 | cut -d ' ' -f1`
ip ru add fwmark 2 table adsl
#ip route flush table adsl
ip route add table adsl $PPP0GW dev ppp0 src 188.6.X.X
ip route add table adsl default via $PPP0GW
ip rule add from 188.6.X.X table adsl

....script the following:

echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $f ; done
echo 0 > /proc/sys/net/ipv4/route/flush
ip route flush cashe # just to make sure

Still no good. No solution yet, just wanted to record (and postone) it until next week.

UPDATE it's going to be more and more weird. As you can see in my command
IPTABLES -t mangle -A PREROUTING -i eth1 -p tcp ! -d [SKIP-THIS-IP] -m multiport --dports 80,443,3389,[etc] -j MARK --set-mark 2
we have several ports to redirect. Now, all ports are working except some of them, usually 80 and 443.

UPDATE2: It turned out that we had got a little tricky script here that always echoed a "1" into /proc/sys/net/ipv4/conf/all/rp_filter. All the other interfaces' reverse path filter remained 0 but this "all = 1"  was enough to interrupt the 80/443 ports traffic. God knows why it was related only to them.

Nincsenek megjegyzések:

Megjegyzés küldése