[CentOS] Routing issue

Steve Clark sclark at netwolves.com
Thu Sep 27 15:25:30 UTC 2012 

On 09/27/2012 11:01 AM, Manish Kathuria wrote:
> On Thu, Sep 27, 2012 at 7:04 PM, Steve Clark <sclark at netwolves.com> wrote:
>> On 09/26/2012 11:57 PM, Manish Kathuria wrote:
>>
>> On Thu, Sep 27, 2012 at 7:46 AM, Gordon Messmer <yinyang at eburg.com> wrote:
>>
>> On 09/26/2012 09:15 AM, Steve Clark wrote:
> The routes-x.y-z.diff is a unified patch containing different parts
> which include support for Dead Gateway Detection as well.  However,
> since that is limited to the first hop, it is preferable to have a
> userspace script as you are doing. I also use a script to check the
> accessibility of a remote popular site from each of the ISPs and based
> upon the response the links are treated alive or dead and the default
> gateway is changed. However, the routing problem as described by you
> will only be solved after applying this patch (routes-x.y-z.diff).
>
> As for marking the incoming packets to ensure that they go out from
> the same interface they came from, you could do something like the
> following:
>
> Using iptables mark the incoming traffic from external interfaces
>
> /sbin/iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
> /sbin/iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
> /sbin/iptables -t mangle -A PREROUTING -i eth1 -j MARK  --set-mark 1
> /sbin/iptables -t mangle -A PREROUTING -i eth1 -j CONNMARK --save-mark
> /sbin/iptables -t mangle -A PREROUTING -i eth2 -j MARK  --set-mark 2
> /sbin/iptables -t mangle -A PREROUTING -i eth2 -j CONNMARK --save-mark
>
> Add the following rules to your existing ones for policy routing
>
> /sbin/ip rule add fwmark 1 table T1
> /sbin/ip rule add fwmark 2 table T2
Hi Manish,

Thanks for the info. The one question I have is about
/sbin/iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark

I thought the OUTPUT chain was only for packets originating locally. I am only concerned
with clients behind my Linux router, do I still need this?

Again, thanks much for responding.

-- 
Stephen Clark
*NetWolves*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark at netwolves.com
http://www.netwolves.com

More information about the CentOS mailing list