# routing local trafic on iptables mark

## totatis

Hi all,

here is my problem : I have 2 internet outgoing connections. I would like to route my trafic on one or another based on marks put in iptables.

For trafic coming from my internal network (to be forwarded), it is very easy : I mark the connection in the PREROUTING chain, and an iproute2 rule then choose the right routing table based on this mark.

Now, for trafic coming from the box itself, I can't do the same thing. Since trafic generated on the local box goes through routing before touching iptables (in the OUTPUT chain), it's too late. I though about the following setup :

1) trafic goes out to OUTPUT chain then the POSTROUTING chain, in which I DNAT the connection to loopback

2) trafic enters back iptables via the loopback, in the PREROUTING chain. Trouble is, while it goes to mangle PREROUTING, it skips the nat PREROUTING (as iptables already knows the connection), and I can't DNAT again the connection to rewrite the real destination (in this example, the destination is a single known host, so it would have been a single constant DNAT rule).

As my knowledge of iptables is limited, I can't figure a way to mark locally generated trafic BEFORE routing so that I can route based on said mark.

Does anybody know how I could do this ?

Thanks in advance.

----------

## gerdesj

Multi link routing is proper hard!

Have a look at this:  pfSense - http://www.pfsense.org/ to see how its done.  You could run one up in KVM/QEMU.

Once you sort out the actual routing, you will also need to consider how to deal with a failed link.  This needs very careful consideration.  The correct way seems to be to run a daemon or a cron job to ping a known good target via each external link and then take action if it fails.  You'll need static routes to the targets to ensure the right interface is used.

Have a look at http://apinger.jajcus.net/trac/ - Alarm pinger for a handy pinging daemon.  Can't see it in Portage. 

I've tried doing this a few years back and got stuck.  However I tried it without using fwmark and instead simply used policy based routing.  After many months of frustration, I gave up and use pfSense instead!

I found a large amount of pages via Google when I last tried with various recipes on them that never quite seemed to work.  Perhaps its time I tried again, you never know there might be someone out there that got it running and documented it.

Sorry I have not actually answered your question.

Best of luck,

Jon

----------

## totatis

Thanks for the tips.

I found a workaround to my problem, which is a bit of a klugge but works.

Basically, for locally generated trafic, I send it to fictionnal ips (for example 10.0.0.1 and 10.0.0.2 for separate routing of locally generated trafic towards the same host). I then make 2 iproute2 rules :

/sbin/ip route add 10.0.0.1/32 dev $TABLE1_IF table TABLE1

/sbin/ip route add 10.0.0.2/32 dev $TABLE2_IF table TABLE2

And i DNAT this trafic in POSTROUTING :

$IPTABLES -t nat -A OUTPUT -d 10.0.0.1 -j DNAT --to $REAL_DEST_IP

$IPTABLES -t nat -A OUTPUT -d 10.0.0.2 -j DNAT --to $REAL_DEST_IP

This means that I have to put 2 "separate" destinations in the application, but it then works. Should I want to route all towards one table, I just change the route of the fictionnal ip.

I haven't yet wandered into the dead link realm. What you describe (pinging via each interface) reminds me of the way IPMP works on Solaris. This is indeed a good way of doing it, and I'll try to implement this next. I'll look into the daemon you proposed.

Thanks for your reply.

----------

