0

I am having two ISP connection (Link1 and Link2), I want to route all downloads traffic which are of size more than 1MB through Link2.

I have created a routing table Link2 and routing all packets which has got mark 2.

ip route add default via 192.168.1.253 table link2 ip rule add fwmark 2 table link2

It works when I simply use it with any http packets for example

iptables -t mangle -A PREROUTING -p tcp -s 192.168.1.81 --dport 80 -j MARK --set-mark 2 (works)

Now when I am trying to mark if the download size is more that 1MB it is not working as expected.

iptables -t mangle -A PREROUTING -p tcp -s 192.168.1.81 --dport 80 -m connbytes --connbytes 1048576: --connbytes-dir both --connbytes-mode bytes -j MARK --set-mark 2 (not working)

Can anyone please tell me if anything I am missing here.

Supratik
  • 2,154
  • 10
  • 51
  • 66

2 Answers2

2

In short, what you want is not possible.

thor
  • 658
  • 1
  • 7
  • 18
  • can you please suggest some other way to reach the basic objective ? Why do you think it is not possible ? – Supratik Apr 06 '11 at 16:00
  • This is due to the fundamental design of the TCP/IP stack. – pfo Apr 06 '11 at 21:54
  • 2
    Without going into technical details, you will only know the the download size at the moment the download begins. At that moment, TCP session is already established, and whatever ip address it is bound to all traffic within that connection will go though one single link. – thor Apr 07 '11 at 07:00
2

You can only do this if your router is multihomed and you can only do this with outgoing traffic. Which means in only few cases it is possible.

In all other cases you will break the connection. Or for incoming traffic you can't control where it reaches you.

Related: How to identify download traffic using iptables

Community
  • 1
Ganwell
  • 461
  • 3
  • 7
  • If you aren't an ISP, I am quite sure your router isn't multihomed. If you haven't configured BGP, I am quite sure your router isn't multihomed. -> If you have a website where you provide downloads consider linking the downloads to another webserver that is connected to that other ISP. – Ganwell Apr 06 '11 at 22:13
  • @Ganwell, with reference to your post in [How to identify download traffic using iptables](http://serverfault.com/questions/249520/how-to-identify-download-traffic-using-iptables/249598#249598) I am able to compile and load the module connbytes. As you suggested that with iproute2 it is possible so I tried the same here but when I am using connbytes it is not working as expected. My basic objective is to find out which traffic are download of size more than 1M and route them to the Link2. Can you please suggest me something – Supratik Apr 07 '11 at 05:04
  • I am very sorry. I wanted to point out that you need a multihomed router when you asked the first question, but then I thought it is offtopic. As thor explained if you have a different address for each ISP connection there is nothing you can do. - But I still don't know your setup, so if I can explain from what machine to what machine the traffic flows and in what direction (outgoing/incoming) I might find of some way. – Ganwell Apr 12 '11 at 12:22
  • @Ganwell, I have two ISP connections say Link-1 and Link-2. All systems are connected through a Linux gateway at eth1 and eth0 connects to Link-1. Currently the user in the LAN can connect to the internet through Link-2 by changing the gateway manually to Link-2. After some research and experiments I am able to find a way out but still not able solve the issue completely. I included Squid proxy to solve the problem. In my Squid configuration I added the following lines. – Supratik Apr 21 '11 at 13:19
  • In Squid.conf: acl ext_filtering src 192.168.1.226 tcp_outgoing_address 192.168.1.250 ext_filtering and the following routing table entries: ip rule add from 192.168.1.250 table link2 ip route add default via 192.168.1.253 dev eth1 table link2 ip route flush cache I want to test that if all traffic coming from 192.168.1.226 is forwarded to Link2 gateway successfully I will try to filter based on size in the next step. But now the problem is this setup is sometimes working and for some of the sites it simply throws "Access Denied" error. Please let me know if I am missing anything. – Supratik Apr 21 '11 at 13:24
  • Here 192.168.1.253 is the gateway router for Link-2 and 192.168.1.226 is a normal user system in the LAN. All user system in the LAN is using Squid proxy to connect to the internet. Please let me know if you need any more details. – Supratik Apr 21 '11 at 13:29