iptables - MAC routing

wabbit02 · March 18, 2014, 12:13pm

Hi all,

I have a solution where a system can have multiple physical interfaces but a single IP address. I am looking to insert a Squid proxy (that will also perform source NAT), but the return packets must go back to the correct interface.

client network is 10.x.x.x
network between the gateway and squidbox (where I am trying to install
this routing) is 2.0.0.0/24
Squid box has eth2 0.0.0.0
Bridge interface br0 with eth2 as a member and IP address 2.0.0.2/24
The Squidbox then has a second interface on public IP eth3

default route is via eth3

add a route back to the client network:

#ip ro add 10.1.1.0/24 via 2.0.0.2
iptables -A PREROUTING -t mangle  -m mac --mac-source
aa:aa:aa:aa:aa:aa -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -j CONNMARK --save-mark
iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark

ebtables -t nat -A OUTPUT  -p ipv4 --ip-proto tcp  --mark 1 -j dnat
--to-destination aa:aa:aa:aa:aa:aa

iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE

[root]# cat /proc/net/nf_conntrack
ipv4     2 tcp      6 58 SYN_RECV src=10.1.1.80 dst=212.58.246.91
sport=1864 dport=80 src=212.58.246.91 dst=10.1.1.55 sport=80
dport=1864 mark=0 secmark=0 use=2

The issue seems to be that the Mark is not being restored, a tcpdump on the interfaces shows the flows being forwarded correctly, but without the MAC mangling taking place.

any thoughts on where I am going wrong?

Corona688 · March 18, 2014, 12:29pm

I don't really understand the point of having a bridge with only one member.

If a connection passes through squid, it will lose any fancy network markings unless you instruct squid itself to add them somehow.

wabbit02 · March 18, 2014, 12:33pm

I am hoping that the bridge will give me access to ebtables - which allows the mangling of the MAC. In this case its more of a logical interface.

DGPickett · March 18, 2014, 3:20pm

Sounds like something we did to avoid manual router config for odd IP destinations: add entries to the ARP server on any local host so packets to an additional IP device installed in a host on the local net would be directed on that host's local net IP/MAC. Once these packets rise through the ethernet layer into the IP Stack, it recognizes them as local and delivers them without IP forwarding.

wabbit02 · March 19, 2014, 7:24am

I believe I have bound the solution using shorewall - and replicated it using iptabels.

the following config seems to yeld results - however I have not been able to find any good description for the use of nfmask and ctmask

iptables -t mangle -A POSTROUTING -m mark --mark 0x0/0xff -j CONNMARK --restore-mark --nfmask 0xff --ctmask 0xff
iptables -t mangle -A POSTROUTING -m mark ! --mark 0x0/0xff -j RETURN

iptables -t mangle -A PREROUTING -m mac --mac-source aa:aa:aa:aa:aa:aa -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -m mark ! --mark 0x0/0xff -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
iptables -t mangle -A PREROUTING -m mark ! --mark 0x0/0xff -j RETURN

ebtables -t nat -A OUTPUT -p IPv4 --ip-proto tcp --mark 2 -j dnat --to-dst aa:aa:aa:aa:aa:aa --dnat-target ACCEPT

Does anyone have a good description (or link to).