ROUTE and source IPv6 routing - how ?

ROUTE and source IPv6 routing - how ?

[Pawel Hadam]

Hi all

I have two hosts and both have two NICs.

CLIENT: eth0 - ipc0 = 2001:660:5301:26:2c0:9fff:fe1a:caca
        eth1 - ipc1 = 2001:688:1fa1:2:204:75ff:fef8:93a4

SERVER: eth0 - ips0 = 2001:660:5301:26:210:5aff:febe:bb78
        eth1 - ips1 = 2001:688:1fa1:2:204:75ff:fee8:52fd

As you can see, both eth0 are connected to the same LAN (so have IPv6
addresses from the same LAN), and both eth1 are connected to the second
LAN.

According to the normal IPv6 routing, all packets exit from CLIENT to ips0
always via eth0, and to ips1 always via eth1.

But when I have a client program bound to ipc0 (src = ipc0) I would like
to see all packets exiting via eth0, both packets going to ips0 and to
ips1. The same way, packets from a client bound to ipc1 (src = ipc1)
should always exit via eth1. Like this:

1) (ipc0 -> ips0) via eth0
2) (ipc0 -> ips1) via eth0
3) (ipc1 -> ips0) via eth1
4) (ipc1 -> ips1) via eth1


To obtain this I used kernel 2.4.22 with netfilter and patch-o-matic
module ROUTE, and configured this way:


mykonos:~ # ip6tables -t mangle -A POSTROUTING --source
2001:660:5301:26:2c0:9fff:fe1a:caca -j ROUTE --oif eth0 --continue

mykonos:~ # ip6tables -t mangle -A POSTROUTING --source
2001:688:1fa1:2:204:75ff:fef8:93a4 -j ROUTE --oif eth1 --continue

mykonos:~ # ip6tables -t mangle -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
ROUTE      all      2001:660:5301:26:2c0:9fff:fe1a:caca/128  ::/0
ROUTE oif:eth0 continue
ROUTE      all      2001:688:1fa1:2:204:75ff:fef8:93a4/128  ::/0
ROUTE oif:eth1 continue


But it works only in cases 1) and 4). In cases 2) and 3) it gives the
following messages in /var/log/messages:


Dec  1 15:52:29 mykonos kernel: ip6t_ROUTE: no explicit route found via
interface eth1

Dec  1 15:52:45 mykonos kernel: ip6t_ROUTE: called with:
DST=2001:0688:1fa1:0002:0204:75ff:fee8:52fd
GATEWAY=0000:0000:0000:0000:0000:0000:0000
:0000 OUT=eth0

Dec  1 15:52:45 mykonos kernel: ip6t_ROUTE: no explicit route found via
interface eth0

Dec  1 15:52:48 mykonos kernel: ip6t_ROUTE: called with:
DST=2001:0688:1fa1:0002:0204:75ff:fee8:52fd
GATEWAY=0000:0000:0000:0000:0000:0000:0000
:0000 OUT=eth0



And I cannot see any packet exiting any interface.

Could anybody help me with this configuration to reach my target, please
??? Or maybe I should change something in my routing table ???

Regards
Pawel

patch nth, load balancing

[Fabrice Grelaud]

Hi everybody,

I have 2 connections adsl on my gateway (eth1, eth2) and one card for the
LAN (eth0).
netfilter-extension-HOWTO: "easy and quick method to produce load-balancing"

I would like to know if it's possible to balance the load of incoming
packets (eth0) to the two externals interfaces.
                                          _______
                                          |             |-eth1
(66.12.24.36)----------
------eth0 (192.168.0.254)|    FW   |                                    NET
                                          |    NAT |-eth2
(66.13.52.36)----------
                                          _______

And so use the command:
#iptables -t nat -A POSTROUTING -o eth1 -m nth --counter 7 --every
2 --packet 0 -j SNAT --to-source 66.12.24.36
#iptables -t nat -A POSTROUTING -o eth2 -m nth --counter 7 --every
2 --packet 1 -j SNAT --to-source 66.13.52.36

In the howto's example, each time the output card is eth0 ???

what do you think ???
Or do i have to use the target ROUTE or iproute2 & netfilter ???

Cordially yours
Fabrice

Re: ROUTE and source IPv6 routing - how ?

[Cedric de Launois]

Le lun 01/12/2003 à 16:22, Pawel Hadam a écrit :
> Hi all
> 
> I have two hosts and both have two NICs.
> 
> CLIENT: eth0 - ipc0 = 2001:660:5301:26:2c0:9fff:fe1a:caca
>         eth1 - ipc1 = 2001:688:1fa1:2:204:75ff:fef8:93a4
> 
> SERVER: eth0 - ips0 = 2001:660:5301:26:210:5aff:febe:bb78
>         eth1 - ips1 = 2001:688:1fa1:2:204:75ff:fee8:52fd
> 
> As you can see, both eth0 are connected to the same LAN (so have IPv6
> addresses from the same LAN), and both eth1 are connected to the second
> LAN.
> 
> According to the normal IPv6 routing, all packets exit from CLIENT to ips0
> always via eth0, and to ips1 always via eth1.
> 
> But when I have a client program bound to ipc0 (src = ipc0) I would like
> to see all packets exiting via eth0, both packets going to ips0 and to
> ips1. The same way, packets from a client bound to ipc1 (src = ipc1)
> should always exit via eth1. Like this:
> 
> 1) (ipc0 -> ips0) via eth0
> 2) (ipc0 -> ips1) via eth0
> 3) (ipc1 -> ips0) via eth1
> 4) (ipc1 -> ips1) via eth1
> 
> 
> To obtain this I used kernel 2.4.22 with netfilter and patch-o-matic
> module ROUTE, and configured this way:
> 
> 
> mykonos:~ # ip6tables -t mangle -A POSTROUTING --source
> 2001:660:5301:26:2c0:9fff:fe1a:caca -j ROUTE --oif eth0 --continue
> 
> mykonos:~ # ip6tables -t mangle -A POSTROUTING --source
> 2001:688:1fa1:2:204:75ff:fef8:93a4 -j ROUTE --oif eth1 --continue
> 
> mykonos:~ # ip6tables -t mangle -nL
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> ROUTE      all      2001:660:5301:26:2c0:9fff:fe1a:caca/128  ::/0
> ROUTE oif:eth0 continue
> ROUTE      all      2001:688:1fa1:2:204:75ff:fef8:93a4/128  ::/0
> ROUTE oif:eth1 continue
> 
> 
> But it works only in cases 1) and 4). In cases 2) and 3) it gives the
> following messages in /var/log/messages:
> 
> 
> Dec  1 15:52:29 mykonos kernel: ip6t_ROUTE: no explicit route found via
> interface eth1
> 
> Dec  1 15:52:45 mykonos kernel: ip6t_ROUTE: called with:
> DST=2001:0688:1fa1:0002:0204:75ff:fee8:52fd
> GATEWAY=0000:0000:0000:0000:0000:0000:0000
> :0000 OUT=eth0
> 
> Dec  1 15:52:45 mykonos kernel: ip6t_ROUTE: no explicit route found via
> interface eth0
> 
> Dec  1 15:52:48 mykonos kernel: ip6t_ROUTE: called with:
> DST=2001:0688:1fa1:0002:0204:75ff:fee8:52fd
> GATEWAY=0000:0000:0000:0000:0000:0000:0000
> :0000 OUT=eth0
> 
> 
> 
> And I cannot see any packet exiting any interface.
> 
> Could anybody help me with this configuration to reach my target, please
> ??? Or maybe I should change something in my routing table ???

You have to add an entry in your routing table saying that destination
2001:688:1fa1:2:204:75ff:fee8:52fd is reachable through iface ipc0.
Otherwise the ROUTE target can't figure out whether the destination
is on-link or gateway'ed.

Try with something like this :
  ip -f inet6 route add 2001:688:1fa1:2:204:75ff:fee8:52fd dev eth0

Same remark applies for case 3).

Cedric

Re: ROUTE and source IPv6 routing - how ?

[Andrea Iacopini]

unsubscribe
========================================================================
Andrea Iacopini,
Technology Solutions, Networking and Security Competence Center

REALTECH Italia S.p.A. - Technology drives e-Business
Via Paolo di Dono, 73 - 00142 Roma, Italy

andrea.iacopini@realtech.it
Mobile + 39 335 123.44.93
Tel. +39 06 51.95.981, Fax. +39 06 51.96.36.74
========================================================================
Valued IEEE Member,
Member NO: 41412812
Real hackers don't die, just their TTL expires. [Unknown]
----- Original Message ----- 
From: "Cedric de Launois" <delaunois@info.ucl.ac.be>
To: "Pawel Hadam" <Pawel.Hadam@imag.fr>
Cc: <netfilter@lists.netfilter.org>
Sent: Tuesday, December 02, 2003 9:02 AM
Subject: Re: ROUTE and source IPv6 routing - how ?


Le lun 01/12/2003 à 16:22, Pawel Hadam a écrit :
> Hi all
>
> I have two hosts and both have two NICs.
>
> CLIENT: eth0 - ipc0 = 2001:660:5301:26:2c0:9fff:fe1a:caca
>         eth1 - ipc1 = 2001:688:1fa1:2:204:75ff:fef8:93a4
>
> SERVER: eth0 - ips0 = 2001:660:5301:26:210:5aff:febe:bb78
>         eth1 - ips1 = 2001:688:1fa1:2:204:75ff:fee8:52fd
>
> As you can see, both eth0 are connected to the same LAN (so have IPv6
> addresses from the same LAN), and both eth1 are connected to the second
> LAN.
>
> According to the normal IPv6 routing, all packets exit from CLIENT to ips0
> always via eth0, and to ips1 always via eth1.
>
> But when I have a client program bound to ipc0 (src = ipc0) I would like
> to see all packets exiting via eth0, both packets going to ips0 and to
> ips1. The same way, packets from a client bound to ipc1 (src = ipc1)
> should always exit via eth1. Like this:
>
> 1) (ipc0 -> ips0) via eth0
> 2) (ipc0 -> ips1) via eth0
> 3) (ipc1 -> ips0) via eth1
> 4) (ipc1 -> ips1) via eth1
>
>
> To obtain this I used kernel 2.4.22 with netfilter and patch-o-matic
> module ROUTE, and configured this way:
>
>
> mykonos:~ # ip6tables -t mangle -A POSTROUTING --source
> 2001:660:5301:26:2c0:9fff:fe1a:caca -j ROUTE --oif eth0 --continue
>
> mykonos:~ # ip6tables -t mangle -A POSTROUTING --source
> 2001:688:1fa1:2:204:75ff:fef8:93a4 -j ROUTE --oif eth1 --continue
>
> mykonos:~ # ip6tables -t mangle -nL
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
>
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> ROUTE      all      2001:660:5301:26:2c0:9fff:fe1a:caca/128  ::/0
> ROUTE oif:eth0 continue
> ROUTE      all      2001:688:1fa1:2:204:75ff:fef8:93a4/128  ::/0
> ROUTE oif:eth1 continue
>
>
> But it works only in cases 1) and 4). In cases 2) and 3) it gives the
> following messages in /var/log/messages:
>
>
> Dec  1 15:52:29 mykonos kernel: ip6t_ROUTE: no explicit route found via
> interface eth1
>
> Dec  1 15:52:45 mykonos kernel: ip6t_ROUTE: called with:
> DST=2001:0688:1fa1:0002:0204:75ff:fee8:52fd
> GATEWAY=0000:0000:0000:0000:0000:0000:0000
> :0000 OUT=eth0
>
> Dec  1 15:52:45 mykonos kernel: ip6t_ROUTE: no explicit route found via
> interface eth0
>
> Dec  1 15:52:48 mykonos kernel: ip6t_ROUTE: called with:
> DST=2001:0688:1fa1:0002:0204:75ff:fee8:52fd
> GATEWAY=0000:0000:0000:0000:0000:0000:0000
> :0000 OUT=eth0
>
>
>
> And I cannot see any packet exiting any interface.
>
> Could anybody help me with this configuration to reach my target, please
> ??? Or maybe I should change something in my routing table ???

You have to add an entry in your routing table saying that destination
2001:688:1fa1:2:204:75ff:fee8:52fd is reachable through iface ipc0.
Otherwise the ROUTE target can't figure out whether the destination
is on-link or gateway'ed.

Try with something like this :
  ip -f inet6 route add 2001:688:1fa1:2:204:75ff:fee8:52fd dev eth0

Same remark applies for case 3).

Cedric

Re: ROUTE and source IPv6 routing - how ?

[Pawel Hadam]

> > I have two hosts and both have two NICs.
> > CLIENT: eth0 - ipc0 = 2001:660:5301:26:2c0:9fff:fe1a:caca
> >         eth1 - ipc1 = 2001:688:1fa1:2:204:75ff:fef8:93a4
> > SERVER: eth0 - ips0 = 2001:660:5301:26:210:5aff:febe:bb78
> >         eth1 - ips1 = 2001:688:1fa1:2:204:75ff:fee8:52fd
> >
> You have to add an entry in your routing table saying that destination
> 2001:688:1fa1:2:204:75ff:fee8:52fd is reachable through iface ipc0.
> Otherwise the ROUTE target can't figure out whether the destination
> is on-link or gateway'ed.
> Try with something like this :
>   ip -f inet6 route add 2001:688:1fa1:2:204:75ff:fee8:52fd dev eth0
> Same remark applies for case 3).

Hmm... thank you for your proposal, but is does not seem to be the
solution for my problem. Should I add routing entries for ALL IPv6
addresses that I would like to access through ipc0 ??? I would like to
have an access to the whole internet via both ipc0 and ipc1, but
depending on the binding in the client software. So, when I bind my client
to ipc0, I access all the internet via ipc0. When I bind my client to
ipc1, I access all the internet via ipc1.
My example above it was only my local testbed.
Is it possible?

Regards
Pawel

Re: ROUTE and source IPv6 routing - how ?

[Cedric de Launois]

Le mar 02/12/2003 à 11:13, Pawel Hadam a écrit :
> > > I have two hosts and both have two NICs.
> > > CLIENT: eth0 - ipc0 = 2001:660:5301:26:2c0:9fff:fe1a:caca
> > >         eth1 - ipc1 = 2001:688:1fa1:2:204:75ff:fef8:93a4
> > > SERVER: eth0 - ips0 = 2001:660:5301:26:210:5aff:febe:bb78
> > >         eth1 - ips1 = 2001:688:1fa1:2:204:75ff:fee8:52fd
> > >
> > You have to add an entry in your routing table saying that destination
> > 2001:688:1fa1:2:204:75ff:fee8:52fd is reachable through iface ipc0.
> > Otherwise the ROUTE target can't figure out whether the destination
> > is on-link or gateway'ed.
> > Try with something like this :
> >   ip -f inet6 route add 2001:688:1fa1:2:204:75ff:fee8:52fd dev eth0
> > Same remark applies for case 3).
> 
> Hmm... thank you for your proposal, but is does not seem to be the
> solution for my problem. Should I add routing entries for ALL IPv6
> addresses that I would like to access through ipc0 ??? I would like to
> have an access to the whole internet via both ipc0 and ipc1, but
> depending on the binding in the client software. So, when I bind my client
> to ipc0, I access all the internet via ipc0. When I bind my client to
> ipc1, I access all the internet via ipc1.
> My example above it was only my local testbed.
> Is it possible?

Then add a default route that goes through 2001:688:1fa1:2:204:75ff:fee8:52fd :
  ip -f inet6 route add 2001:688:1fa1:2:204:75ff:fee8:52fd dev eth0
  ip -f inet6 route add default via 2001:688:1fa1:2:204:75ff:fee8:52fd
So the ROUTE target knows that when sending through eth0, the next hop
is your server and that it is on the ipc0 link.

So the complete ruleset should be in your case something like that :

ip -f inet6 route add 2001:688:1fa1:2:204:75ff:fee8:52fd dev eth0
ip -f inet6 route add 2001:660:5301:26:210:5aff:febe:bb78 dev eth1
ip -f inet6 route add default via 2001:688:1fa1:2:204:75ff:fee8:52fd
ip -f inet6 route add default via 2001:660:5301:26:210:5aff:febe:bb78

ip6tables -t mangle -A POSTROUTING --source
   2001:660:5301:26:2c0:9fff:fe1a:caca -j ROUTE --oif eth0 --continue
ip6tables -t mangle -A POSTROUTING --source
   2001:688:1fa1:2:204:75ff:fef8:93a4 -j ROUTE --oif eth1 --continue

So, the ROUTE target is used for selecting between the two default
routes.

Cedric

Re: ROUTE and source IPv6 routing - how ?

[Pawel Hadam]

> > > > CLIENT: eth0 - ipc0 = 2001:660:5301:26:2c0:9fff:fe1a:caca
> > > >         eth1 - ipc1 = 2001:688:1fa1:2:204:75ff:fef8:93a4
> > > > SERVER: eth0 - ips0 = 2001:660:5301:26:210:5aff:febe:bb78
> > > >         eth1 - ips1 = 2001:688:1fa1:2:204:75ff:fee8:52fd
> > > >
> > > You have to add an entry in your routing table saying that destination
> > > 2001:688:1fa1:2:204:75ff:fee8:52fd is reachable through iface ipc0.
> > > Otherwise the ROUTE target can't figure out whether the destination
> > > is on-link or gateway'ed.
> > > Try with something like this :
> > >   ip -f inet6 route add 2001:688:1fa1:2:204:75ff:fee8:52fd dev eth0
> > > Same remark applies for case 3).
> >
> > Hmm... thank you for your proposal, but is does not seem to be the
> > solution for my problem. Should I add routing entries for ALL IPv6
> > addresses that I would like to access through ipc0 ??? I would like to
> > have an access to the whole internet via both ipc0 and ipc1, but
> > depending on the binding in the client software. So, when I bind my client
> > to ipc0, I access all the internet via ipc0. When I bind my client to
> > ipc1, I access all the internet via ipc1.
> > My example above it was only my local testbed.
> > Is it possible?
>
> Then add a default route that goes through 2001:688:1fa1:2:204:75ff:fee8:52fd :
>   ip -f inet6 route add 2001:688:1fa1:2:204:75ff:fee8:52fd dev eth0
>   ip -f inet6 route add default via 2001:688:1fa1:2:204:75ff:fee8:52fd
> So the ROUTE target knows that when sending through eth0, the next hop
> is your server and that it is on the ipc0 link.


Looks good. But I should use my gateway connected to the ipc0 (and also
the second one, connected to ipc1). ips0 and ips1 are addresses of one
normal host in my network, they are not gateway addresses.


> So the complete ruleset should be in your case something like that :
>
> ip -f inet6 route add 2001:688:1fa1:2:204:75ff:fee8:52fd dev eth0
> ip -f inet6 route add 2001:660:5301:26:210:5aff:febe:bb78 dev eth1
> ip -f inet6 route add default via 2001:688:1fa1:2:204:75ff:fee8:52fd
> ip -f inet6 route add default via 2001:660:5301:26:210:5aff:febe:bb78

Yeah, something like this, but with gateways addresses.

> ip6tables -t mangle -A POSTROUTING --source
>    2001:660:5301:26:2c0:9fff:fe1a:caca -j ROUTE --oif eth0 --continue
> ip6tables -t mangle -A POSTROUTING --source
>    2001:688:1fa1:2:204:75ff:fef8:93a4 -j ROUTE --oif eth1 --continue
>
> So, the ROUTE target is used for selecting between the two default
> routes.

I'll try it, thanks.

Regards
Pawel