|
On Wednesday, August 6, 2003, at 04:28 PM, Joseph Mack wrote:
Matthew Crocker wrote:
ip rule add prio 100 fwmark 1 table 100
ip rule add prio 100 fwmark 2 table 100
ip route add local 0/0 dev lo table 100
crafty :-)
the last one means "all packets sent to table 100
from 0/0 go to dev lo"?
I think it means default route for table 100 is dev lo and treat
packets as local
OK you can send it the packets to lo, but why does lo accept it?
Why doesn't lo just say "I only have 127.0.0.1, forget it"
Honestly I didn't write this part. I got help from someone on the list
6 months ago. If you search back in the archive you should see where I
had everything configured but the LVS wasn't handling the packets.
Someone responded (Hormes? Julian?) with this above mentioned trick.
Works wonders :)
The cool thing about this setup is that packets going to the SIP that
are not tagged (i.e. not for services I provide) are not considered
local by the kernel and are routed back out to the upstream router
(creating a routing loop). You cannot traceroute/ping my SIP
addresses.
fiendish
do you know why do we need transparent proxy if we can do this?
I haven't used transparent proxy, What does it do?
My next step would be to create a blackhole box and set that as the
default route for those packets so they go into the bit bucket instead
of the route loop.
can you give the incantation you use (so save me making it up
and getting it wrong)?
I'll need to tag all unkown/unwanted packets with a firewall mark.
iptables -A PREROUTING -s 0/0 -d <SIP>/255.255.255.0 -i eth0 -j MARK
--set-mark 0x99
Setup a route table with a default route of my blackhole box
ip route add 0/0 via <blackhole_box_ip> dev eth1 table 999
Have all packets with the fwmark use the new table
ip rule add prio 100 fwmark 99 table 999
blackhole box is just a linux box with default route to loopback
running SNORT. It will also be running BGP/OSPF with my route servers
announcing 0/0 so it will eat any reply packets from bogus netblocks
(spammers, worms, etc.). My border routers do not have a default
route. If it isn't in the BGP table it gets sent to SNORT for
logging/analysis.
I've been looking for a good way of getting arbitary packets accepted
by the director when setup with fwmark. The only thing we've had
so far is transparent proxy or putting IPs onto the director that
match the dst_addr of the packets which get marked by fwmark.
The 2nd method there seems terrible crufty to me.
I've been doing it with the rules mentioned above for a couple months
now and it has been working great. It took a while to setup properly
with ethereal running on in/out interfaces on my clients, LVS and real
servers. I need a couple more displays sometimes so I can watch the
traffic flows.
HTH
-Matt
| 