Hi all,
I have a solution where a system can have multiple physical interfaces but a single IP address. I am looking to insert a Squid proxy (that will also perform source NAT), but the return packets must go back to the correct interface.
client network is 10.x.x.x
network between the gateway and squidbox (where I am trying to install
this routing) is 2.0.0.0/24
Squid box has eth2 0.0.0.0
Bridge interface br0 with eth2 as a member and IP address 2.0.0.2/24
The Squidbox then has a second interface on public IP eth3
default route is via eth3
add a route back to the client network:
#ip ro add 10.1.1.0/24 via 2.0.0.2
iptables -A PREROUTING -t mangle -m mac --mac-source
aa:aa:aa:aa:aa:aa -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -j CONNMARK --save-mark
iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark
ebtables -t nat -A OUTPUT -p ipv4 --ip-proto tcp --mark 1 -j dnat
--to-destination aa:aa:aa:aa:aa:aa
iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE
[root]# cat /proc/net/nf_conntrack
ipv4 2 tcp 6 58 SYN_RECV src=10.1.1.80 dst=212.58.246.91
sport=1864 dport=80 src=212.58.246.91 dst=10.1.1.55 sport=80
dport=1864 mark=0 secmark=0 use=2
The issue seems to be that the Mark is not being restored, a tcpdump on the interfaces shows the flows being forwarded correctly, but without the MAC mangling taking place.
any thoughts on where I am going wrong?
I don't really understand the point of having a bridge with only one member.
If a connection passes through squid, it will lose any fancy network markings unless you instruct squid itself to add them somehow.
I am hoping that the bridge will give me access to ebtables - which allows the mangling of the MAC. In this case its more of a logical interface.
Sounds like something we did to avoid manual router config for odd IP destinations: add entries to the ARP server on any local host so packets to an additional IP device installed in a host on the local net would be directed on that host's local net IP/MAC. Once these packets rise through the ethernet layer into the IP Stack, it recognizes them as local and delivers them without IP forwarding.
I believe I have bound the solution using shorewall - and replicated it using iptabels.
the following config seems to yeld results - however I have not been able to find any good description for the use of nfmask and ctmask
iptables -t mangle -A POSTROUTING -m mark --mark 0x0/0xff -j CONNMARK --restore-mark --nfmask 0xff --ctmask 0xff
iptables -t mangle -A POSTROUTING -m mark ! --mark 0x0/0xff -j RETURN
iptables -t mangle -A PREROUTING -m mac --mac-source aa:aa:aa:aa:aa:aa -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -m mark ! --mark 0x0/0xff -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
iptables -t mangle -A PREROUTING -m mark ! --mark 0x0/0xff -j RETURN
ebtables -t nat -A OUTPUT -p IPv4 --ip-proto tcp --mark 2 -j dnat --to-dst aa:aa:aa:aa:aa:aa --dnat-target ACCEPT
Does anyone have a good description (or link to).