1

My situation: A ubuntu server is part of a LAN with 2 gateways. The one offers high speed with high latency. The other low speed with low latency. My server usually uses GW1 for all traffic (because of high bandwidth). I would love to be able to ssh into the server via the low latency connection. GW2 has a port forwarding to the server but it obviously doesn't work out of the box because the server will answer via GW1 which will drop the packages.

After some research, ehre is what i did (my ssh port is 222):

i added a iptables rule to mark the packages

iptables -L PREROUTING -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
MARK       tcp  --  anywhere             anywhere             tcp dpt:222 MARK set 0x1

i added the following to /etc/iproute2/rt_tables

100    sshtable

i added a ip rule for the new table - this is "ip rule show output"

ip rule show
0:      from all lookup local
32764:  from all fwmark 0x1 lookup sshtable
32766:  from all lookup main
32767:  from all lookup default

i changed the routing for the new table - this is "ip route show table sshtable"

ip route show table sshtable
default via 192.168.2.2 dev eth0

rp_filter should be turned off:

cat /etc/sysctl.conf | grep filter
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0

Unfortunately it does not work. I can see the incoming connection being stuck at SYN_SENT (using tcptrack).

Do you have any hints for me? Nik

Niksac
  • 171
  • 8

1 Answers1

0

You should mark the whole connection otherwise only the first packet will.

iptables -t mangle -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
iptables -t mangle -A PREROUTING -p tcp -dport 222 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark

You might have to load the ipt_connmark module. To find out if it is supplied with your kernel, run the following:

$ find /lib/modules/`uname -r` -name 'xt_connmark.ko'
$ lsmod | grep 'connmark'

Then make sure to load the module if not yet loaded.

# modprobe ipt_connmark
Spack
  • 1,604
  • 15
  • 22
  • i get "No chain/target/match by that name." from iptables. I installed conntrack via apt-get – Niksac Apr 15 '14 at 13:36
  • I've updated with the full `iptables` command. There is no need to install conntrack. This is a netfilter kernel module. – Spack Apr 15 '14 at 13:44