From: Olvin <olvin@rambler.ru>
To: ALT Linux sysadmin discuss <sysadmins@lists.altlinux.org>
Subject: Re: [Sysadmins] iptables и цель ROUTE
Date: Thu, 07 Aug 2008 19:08:03 +0300
Message-ID: <489B1DE3.4050505@rambler.ru> (raw)
In-Reply-To: <g7bkma$8n0$1@ger.gmane.org>
Pavel пишет:
>>> если не ошибаюсь в цепочке mangle\OUTPUT
>> Самое главное, что "ДО".
> да, но разве окончательное решение о маршрутизации принимается не перед
> mangle POSTROUTING?
>
> цитата с http://iptables-tutorial.frozentux.net/
> iptables-tutorial.html#TRAVERSINGOFTABLES
>> Table 6-2. Source local host (our own machine)
>> ...
>> 7. Routing decision, since the previous mangle and nat changes
>> may have changed how the packet should be routed.
Хм... Может, я чего не так делаю, но:
# su - user1
$ ping ya.ru
connect: Network is unreachable
При том, что:
# iptables -nv -L OUTPUT -t mangle
Chain OUTPUT (policy ACCEPT 18M packets, 3038M bytes) pkts bytes target
prot opt in out source destination
17154 1425K MARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x0
453 23555 MARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 OWNER UID match
500 MARK set 0x1
0 0 MARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 OWNER UID match
501 MARK set 0x2
(все остальные цепочки и таблицы пусты и по умолчанию ACCEPT)
# id user1
uid=500(user1) gid=500(user1) groups=500(user1)
# id user2
uid=501(user2) gid=501(user2) groups=501(user2)
# ip rule
0: from all lookup local
11: from all to 10.0.0.0/8 lookup main
12: from all to 172.16.0.0/12 lookup main
13: from all to 192.168.0.0/16 lookup main
101: from all fwmark 0x1 lookup 101
102: from all fwmark 0x2 lookup 102
32766: from all lookup main
32767: from all lookup default
# ip route show table 101
default dev ppp0 scope link
# ip route show table 102
default dev ppp10 scope link
# ip route show table main
91.149.162.1 dev ppp0 proto kernel scope link src 91.149.162.33
91.149.162.1 dev ppp10 proto kernel scope link src 91.149.156.103
10.12.7.0/24 dev homelan proto kernel scope link src 10.12.7.254
169.254.0.0/16 dev homelan scope link
192.168.0.0/16 via 10.12.7.1 dev homelan
172.16.0.0/12 via 10.12.7.1 dev homelan
10.0.0.0/8 via 10.12.7.1 dev homelan
224.0.0.0/4 dev homelan scope link
# ip a
2: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
6: homelan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
qlen 1000
link/ether 00:1c:f0:c7:c1:e8 brd ff:ff:ff:ff:ff:ff
inet 10.12.7.254/24 brd 10.12.7.255 scope global homelan
13: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc
pfifo_fast qlen 3
link/ppp
inet 91.149.162.33 peer 91.149.162.1/32 scope global ppp0
15: ppp10: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc
pfifo_fast qlen 3
link/ppp
inet 91.149.156.103 peer 91.149.162.1/32 scope global ppp10
Но как только делаю "ip route add default dev ppp0 table main", так
сразу и пинговаться начинает. Но цель-то при этом не достигнута... Буду
очень рад, если укажете мне, где я ошибся.
На всякий случай: user1 должен ходить в интернет только через ppp0,
user2 - только через ppp10, оба должны иметь доступ к локальной сети
через homelan.
next prev parent reply other threads:[~2008-08-07 16:08 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-05 10:11 Olvin
2008-08-05 10:36 ` Serge
2008-08-05 11:08 ` Olvin
2008-08-05 12:04 ` Serge
2008-08-05 12:20 ` Olvin
2008-08-05 13:40 ` Alexander Vasiliev
2008-08-05 14:47 ` Olvin
2008-08-06 7:44 ` Pavel
2008-08-07 16:08 ` Olvin [this message]
2008-08-08 7:30 ` Pavel
2008-08-08 21:15 ` Olvin
2008-08-08 21:28 ` Yuri Bushmelev
2008-08-08 22:00 ` Olvin
2008-08-10 12:18 ` Pavel
2008-08-10 14:36 ` Olvin
2008-08-11 4:20 ` Pavel
2008-08-10 12:39 ` Pavel
2008-08-10 14:40 ` Olvin
2008-08-11 6:33 ` Pavel
2008-08-05 12:16 ` Alexander Vasiliev
2008-08-05 13:31 ` Olvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=489B1DE3.4050505@rambler.ru \
--to=olvin@rambler.ru \
--cc=sysadmins@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux sysadmins discussion
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/sysadmins/0 sysadmins/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 sysadmins sysadmins/ http://lore.altlinux.org/sysadmins \
sysadmins@lists.altlinux.org sysadmins@lists.altlinux.ru sysadmins@lists.altlinux.com
public-inbox-index sysadmins
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.sysadmins
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git