Join Log in
Score:0
erfan mehralizadeh avatar Server

How to mark and separate connections?

us flag
erfan mehralizadeh

I have a issabel Linux (based on Centos 7) with 3 ethernet, and I want this scenario:

eth0 with IP 172.16.3.30/16 ----gw(172.16.0.1)----> (I want to use as Default Gateway)

eth1 with IP 10.1.5.102/30 -----gw(10.1.5.101)----> (mark connections to 10.10.10.10:5160 for send via 10.1.5.101 with own src(10.1.5.102))

eth2 with IP 10.1.5.106/30 -----gw(10.1.5.105)----> (mark connections to 10.10.10.10:5161 for send via 10.1.5.101 with own src(10.1.5.106))

attention : there is one same destination address! (10.10.10.10 but different port)

I am using this codes:

iptables -A OUTPUT -t mangle -p udp -d 10.10.10.10/32 --dport 5160 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -p udp -d 10.10.10.10/32 --dport 5161 -j MARK --set-mark 2
echo 100 sip102 >> /etc/iproute2/rt_tables
echo 101 sip106 >> /etc/iproute2/rt_tables
ip route add default dev eth1 table sip102
ip route add default dev eth2 table sip106
ip rule add from all fwmark 1 table sip102
ip rule add from all fwmark 2 table sip106

But SIP Trunks cannot be connect. (I was changed first two line to -A PREROUTING but not effected)

When I am trying to test table's route without marking with this:

ip rule add to 10.10.10.10 table sip102

I see one SIP trunk is connected (10.1.5.102 > 10.10.10.10:5160 Connected)

66
0 + 0
in flag
NiKiZe
Why do you want mark? you can use `ip rule` to do all this with source instead, you should also add some other routes to each of the tables. use tcpdump or similar tools to see what is going on, especially check for traffic comming back and make sure it goes back the right way.
0
Reply
erfan mehralizadeh avatar
us flag
erfan mehralizadeh
Because there is one dst. Address with different ports and only way to separate and manage connection is marking, is it possible to do this with ip rule?
0
Reply
in flag
NiKiZe
My bad, missed the port part, seeing many (other) questions where iptables is not needed. your routes still need the gw unless destination is on link, and again tcpdump and try to follow the traffic, and the replys.
0
Reply
erfan mehralizadeh avatar
us flag
erfan mehralizadeh
i can't use tcpdump because it's UDP (SIP)
0
Reply
in flag
NiKiZe
Not sure what you mean, tcpdump shows UDP, but feel free to use any packet capture tool you are comfy with, wireshark if you like UIs
0
Reply
Martin avatar
kz flag
Martin
I would use source based routing here. In my opinion the best approach, because that way, you do not have to mess with iptables at all... https://blog.scottlowe.org/2013/05/29/a-quick-introduction-to-linux-policy-routing/
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.