Маршрутизация маркированных iptables пакетов.
Форум — Admin
Добрый день. Имеется роутер с 2мя сетевухами к разным провайдерам и одной в локальную сеть. Вот конфигурация сетевух
провайдер 1 (в таблицах rt_tables указан как P1):
IF1=eno33554960
IP1=192.168.5.69
GW1=192.168.5.90
NET1=192.168.5.0/24
провайдер 2 (в таблицах rt_tables указан как P2):
IF2=eno16777736
IP2=172.16.69.100
GW2=172.16.69.2
NET2=172.16.69.0/24
локальная сеть:
IF_LOCAL=eno50332184
IP_LOCAL=192.168.50.90
NET_LOCAL=192.168.50.0/24
[root@fedora ~]# ip route
default via 192.168.5.90 dev eno33554960
127.0.0.0/8 dev lo scope link
172.16.69.0/24 dev eno16777736 scope link src 172.16.69.100
192.168.5.0/24 dev eno33554960 scope link src 192.168.5.69
192.168.50.0/24 dev eno50332184 scope link
[root@fedora ~]# ip route show table P1
default via 192.168.5.90 dev eno33554960
127.0.0.0/8 dev lo scope link
172.16.69.0/24 dev eno16777736 scope link
192.168.5.0/24 dev eno33554960 scope link src 192.168.5.69
192.168.50.0/24 dev eno50332184 scope link
[root@fedora ~]# ip route show table P2
default via 172.16.69.2 dev eno16777736
127.0.0.0/8 dev lo scope link
172.16.69.0/24 dev eno16777736 scope link src 172.16.69.100
192.168.5.0/24 dev eno33554960 scope link
192.168.50.0/24 dev eno50332184 scope link
[root@fedora ~]# ip rule
0: from all lookup local
32734: from all fwmark 0x1 lookup P1
32735: from all fwmark 0x2 lookup P2
32736: from 192.168.5.69 lookup P1
32737: from 172.16.69.100 lookup P2
32766: from all lookup main
32767: from all lookup default
[root@fedora ~]# iptables -vL
Chain INPUT (policy ACCEPT 429 packets, 42872 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 930 packets, 602K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 327 packets, 54592 bytes)
pkts bytes target prot opt in out source destination
[root@fedora ~]# iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 223 packets, 12249 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 198 packets, 10968 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 228 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any eno16777736 anywhere anywhere
25 1363 MASQUERADE all -- any eno33554960 anywhere anywhere
[root@fedora ~]# iptables -t mangle -vL
Chain PREROUTING (policy ACCEPT 1493 packets, 657K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 560 packets, 54913 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 930 packets, 602K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 417 packets, 63164 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1347 packets, 665K bytes)
pkts bytes target prot opt in out source destination
[root@fedora ~]# ip rule add from 192.168.50.150 table P2
[root@fedora ~]# ip rule
0: from all lookup local
32733: from 192.168.50.150 lookup P2
32734: from all fwmark 0x1 lookup P1
32735: from all fwmark 0x2 lookup P2
32736: from 192.168.5.69 lookup P1
32737: from 172.16.69.100 lookup P2
32766: from all lookup main
32767: from all lookup default
1 <1 мс <1 мс <1 мс 192.168.50.90
2 * <1 мс <1 мс 172.16.69.2
3 * * * Превышен интервал ожидания для запроса.
4 1 ms <1 мс <1 мс 192.168.0.1
5 4 ms 4 ms 4 ms 100.70.0.1
и т.д.
[root@fedora ~]# iptables -t mangle -A PREROUTING -s 192.168.50.150 -j MARK --set-mark 2
[root@fedora ~]# iptables -t mangle -vL
Chain PREROUTING (policy ACCEPT 82 packets, 6542 bytes)
pkts bytes target prot opt in out source destination
0 0 MARK all -- any any 192.168.50.150 anywhere MARK set 0x2
Chain INPUT (policy ACCEPT 79 packets, 6410 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 66 packets, 6568 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 66 packets, 6568 bytes)
pkts bytes target prot opt in out source destination
[root@fedora ~]# ip rule
0: from all lookup local
32734: from all fwmark 0x1 lookup P1
32735: from all fwmark 0x2 lookup P2
32736: from 192.168.5.69 lookup P1
32737: from 172.16.69.100 lookup P2
32766: from all lookup main
32767: from all lookup default
1 <1 мс <1 мс <1 мс 192.168.50.90
2 <1 мс <1 мс <1 мс 172.16.69.2
3 * * * Превышен интервал ожидания для запроса.
4 * * * Превышен интервал ожидания для запроса.
5 * * * Превышен интервал ожидания для запроса.
6 * * * Превышен интервал ожидания для запроса.
7 * * * Превышен интервал ожидания для запроса.