[bash] iptables iproute2 and multiple routes
转载自 http://aftermanict.blogspot.it/2015/11/bash-iptables-iproute2-and-multiple.html
I had the following scenario: 1 server + 1 NIC + several openvpn tunnels.
If your job is wasting time with precanned scripts, good luck.
I tried every guide, official or not, to make work iptables, ip route and ip rule in order to mark traffic, both with UBUNTU server 16 and CENTOS 7. No way.
This will make the kernel permanently route packets, enables multiple routes and even for networks not attested on the machine:
nano /etc/sysctl.conf
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
net.ipv4.ip_forward = 1
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 >| $f ; done
This will initialize iptables and in particular mangle and nat, which are needed for marking the traffic:
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
add the alternative routes editing:
nano /etc/iproute2/rt_tables
Add (names are your references):
1 tunnel0
2 tunnel1
add routes and rules, we use tables IDs instead of names which are more immediate. As you can notice, the gateway is unrelevant, expecially for tunnels which can have dynamic gateways:
ip route add 0.0.0.0/0 dev tun0 table 1
ip route add 0.0.0.0/0 dev tun1 table 2
add rules to mark traffic and bind to the corresponding table:
ip rule add from all fwmark 1 table 1
ip rule add from all fwmark 2 table 2
ip route flush cache
check if you like:
ip route show table 1
ip route show table 2
ip rule show
if you miss something, you can delete this way:
ip rule del table 1
ip route flush table 1
NOW THE MISSING PART:
THIS WONT WORK:
iptables -A PREROUTING -t mangle -p tcp –dport 80 -j MARK –set-mark 1
THIS WILL:
Do you need to select traffic and push it simultaneously in a device / tunnel? No problem, I solved this too:
iptables -A OUTPUT -t mangle -p tcp –dport 10001 -j MARK –set-mark 1
iptables -A OUTPUT -t mangle -p tcp –dport 10002 -j MARK –set-mark 2
iptables -t nat -A OUTPUT -p tcp –dport 10001 -j DNAT –to :80
iptables -t nat -A OUTPUT -p tcp –dport 10002 -j DNAT –to :80
NAT mandatory for reply
iptables -t nat -A POSTROUTING -o $DEV1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o $DEV2 -j MASQUERADE
iptables-save