Routing problem

Routing problem

[Carlos Fernandez Sanz]

[-- Attachment #1: Type: text/plain, Size: 1251 bytes --]

I have a small problem setting up a routing exception here.

We have a small LAN with NAT-based internet access. Nothing special here. 
The router is a Linux box, with two NICs. One of them has a private address. The other one has a WAN address (it's a requirement of our provider that we use this address even if we have public addresses). 

Anyway, one of our users needs to go out using a public IP, and NAT doesn't do, because he needs to establish a connection encrypted where the IP address is part of a signature.

We do have spare IPs. The problem is that I can't add a route to him, route returns "network is unreachable".

Suppose NIC A in the linux box (route) is 192.168.21.1. NIC B is our public IP 1 (of a pool of five) A.B.C.1. Everyone gets out using this IP and NAT.
Now I want someone in the LAN to own the public IP A.B.C.2, however he is connected to the internal switch. 
I tried to do this

route add A.B.C.2 gw A.B.C.2 dev eth0 

But I get "network unreachable".

Before you ask: I can't connect this special computer to the same place I connect the linux box (which would be the obvious solution) because the carrier expects traffic to come from one WAN IP, owned by the linux box. 

All suggestions welcome.

[-- Attachment #2: Type: text/html, Size: 2443 bytes --]

Re: Routing problem

[Antony Stone]

On Friday 13 February 2004 3:39 pm, Carlos Fernandez Sanz wrote:

> I have a small problem setting up a routing exception here.
>
> We have a small LAN with NAT-based internet access. Nothing special here.
> The router is a Linux box, with two NICs. One of them has a private
> address. The other one has a WAN address (it's a requirement of our
> provider that we use this address even if we have public addresses).
>
> Before you ask: I can't connect this special computer to the same place I
> connect the linux box (which would be the obvious solution) because the
> carrier expects traffic to come from one WAN IP, owned by the linux box.

How do they expect you to use any of the other IPs in the pool they have given 
you?

Antony.

-- 
The words "e pluribus unum" on the Great Seal of the United States are from a 
poem by Virgil entitled "Moretum", which is about cheese and garlic salad 
dressing.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Routing problem

[Carlos Fernandez Sanz]

> >
> > Before you ask: I can't connect this special computer to the same place
I
> > connect the linux box (which would be the obvious solution) because the
> > carrier expects traffic to come from one WAN IP, owned by the linux box.
>
> How do they expect you to use any of the other IPs in the pool they have
given
> you?

I do use them by redirecting traffic from the linux box to the destination
boxes (such as all trafic for public IP 2 goes to 192.168.21.2, for
example). This works fine, *except* in this particular case, where any
NATing is not an option. I need the computer behind the linux box to
actually own the public address, because it signs packets with it.

Re: Routing problem

[John A. Sullivan III]

On Fri, 2004-02-13 at 10:39, Carlos Fernandez Sanz wrote:
> I have a small problem setting up a routing exception here.
>  
> We have a small LAN with NAT-based internet access. Nothing special
> here. 
> The router is a Linux box, with two NICs. One of them has a private
> address. The other one has a WAN address (it's a requirement of our
> provider that we use this address even if we have public addresses). 
>  
> Anyway, one of our users needs to go out using a public IP, and NAT
> doesn't do, because he needs to establish a connection encrypted where
> the IP address is part of a signature.
>  
> We do have spare IPs. The problem is that I can't add a route to him,
> route returns "network is unreachable".
>  
> Suppose NIC A in the linux box (route) is 192.168.21.1. NIC B is our
> public IP 1 (of a pool of five) A.B.C.1. Everyone gets out using this
> IP and NAT.
> Now I want someone in the LAN to own the public IP A.B.C.2, however he
> is connected to the internal switch. 
> I tried to do this
>  
> route add A.B.C.2 gw A.B.C.2 dev eth0 
>  
> But I get "network unreachable".
>  
> Before you ask: I can't connect this special computer to the same
> place I connect the linux box (which would be the obvious solution)
> because the carrier expects traffic to come from one WAN IP, owned by
> the linux box. 
>  
> All suggestions welcome.

Hmmm . . . what type of encryption are you doing? I assume it is not
IPSec as that should work with a one-to-one NAT.

I have never tried to use iptables in a bridging rather than routing
scenario.  I do not know if it would be possible to set up the user's
computer on a separate network that speaks to a third interface on the
gateway as a bridged rather than routed network.

If it is not the act of NAT itself that breaks the packet but rather
having a different IP header address than the IP address embedded in
layer 7, I wonder if you could do something as outrageous as a double
NAT.  In other words, the user lives on their own network with the
A.B.C.2 address.  They are connected to the internal network through a
NAT gateway which translates A.B.C.2 into 192.168.21.2 (or whatever
fixed address you want).  The Internet gateway then NATs 192.168.21.2
into A.B.C.2.

As you can probably tell, I haven't thought through any of these ideas. 
They may be entirely foolhardy but just thought I'd throw out some quick
outside-the-box (every pun intended) thoughts.  Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: Routing problem

[Antony Stone]

On Friday 13 February 2004 4:30 pm, Carlos Fernandez Sanz wrote:

> > > Before you ask: I can't connect this special computer to the same place
> > > I connect the linux box (which would be the obvious solution) because
> > > the carrier expects traffic to come from one WAN IP, owned by the linux
> > > box.
> >
> > How do they expect you to use any of the other IPs in the pool they have
> > given you?
>
> I do use them by redirecting traffic from the linux box to the destination
> boxes (such as all trafic for public IP 2 goes to 192.168.21.2, for
> example). This works fine, *except* in this particular case, where any
> NATing is not an option. I need the computer behind the linux box to
> actually own the public address, because it signs packets with it.

I still don't understand.   One of your above statements must be incorrect:

 - either the ISP requires all your outgoing traffic to come from a single 
public address,

 - or you can send traffic from IP1, IP2, IP3 etc as you wish.

If the first is true (you have to send all traffic from just a single address) 
then I don't see how you can do NAT from IP2 to 192.168.21.2, because the 
reply packets going back out to the Internet are going to have the source 
address (after de-NATting) of IP2 - therefore you *are* being allowed to send 
from more than one public IP.

If the second is true (you can send from IP1, IP2, IP3 etc as you wish) then 
as you said in the first place, you can connect the user who wants to use 
some nasty protocol which embeds OSI layer 3 information into OSI layer 7 
traffic to the same place as your existing Linux box and give them a real 
public IP of their own.

What does your ISP claim will happen if you use more than one of your assigned 
pool of IP addresses for the source address of outgoing traffic?

Antony.

-- 
The first fifty percent of an engineering project takes ninety percent of the 
time, and the remaining fifty percent takes another ninety percent of the 
time.

Re: Routing problem

[Scott MacKay]

AH, I think I get what you are saying.  
You have a linux doing NAT, 1 public IP on the outside
and 1 private on the inside.  You also have a spare
public IP which you want to put on a client so they
can do some funky things which requires them having a
real IP address.
1 question about your statement.  Where you say
"carrier expects traffic to come from one WAN IP"
kinda goes against what you implied by "public IP 2". 
If you have 2 pubic IPs, they they cannot expect your
traffic to come from 1 WAN IP.  Even if you NAT a
private address explicitly to the 2nd public IP
address that counts as 2.  Do you have 1 or 2 public
IP addresses?  
If you are given 2, then you should be able to do the
config mentioned, putting the client on the same side
as the router's public IP (since they are both in the
same class C).  If you have 1, well you are SOL.








--- Carlos Fernandez Sanz <cfs-netfilter@nisupu.com>
wrote:
> > >
> > > Before you ask: I can't connect this special
> computer to the same place
> I
> > > connect the linux box (which would be the
> obvious solution) because the
> > > carrier expects traffic to come from one WAN IP,
> owned by the linux box.
> >
> > How do they expect you to use any of the other IPs
> in the pool they have
> given
> > you?
> 
> I do use them by redirecting traffic from the linux
> box to the destination
> boxes (such as all trafic for public IP 2 goes to
> 192.168.21.2, for
> example). This works fine, *except* in this
> particular case, where any
> NATing is not an option. I need the computer behind
> the linux box to
> actually own the public address, because it signs
> packets with it.
> 
> 


__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html

Re: Routing problem

[Carlos Fernandez Sanz]

I'll try to express it more clearly, since you're not the only one who
didn't get me right :-)

The link between the carrier and the linux box happens using WAN addresses,
ie. 172.x.y.1 (them) <--> 172.x.y.99 (us). All traffic is exchanged using
those two addresses - they just won't route traffic not being routed from
172.x.y.99.

We own *5* public addresses, and they route the traffic to all those
addresses via 172.x.y.99 (our router).

The route also has 192.168.21.1 on another NIC, which is connected to our
own LAN. It also has our first public address - so traffic we generate to
internet uses this public address, and traffic coming from internet goes to
this public address. (being routed through the 172.x.y.z) addresses.

OK, so I said we have 5 public addresses, one being used for the router for
general internet access and 4 spare.

So far, when I needed someone to have a public IP (whatever the reason), I
just said in iptables "all packets from this internal IP address goes out
using this external IP address, and all packets coming from the outside for
this external address we send to this internal IP". Works fine.

Problem is, we have a specific situation where the real IP of the computer
behind the firewall matters, because it's used as part of the signature. So
I need this computer to actually *own* the address, and have the router just
forward the traffic from one interface to the other with no NAT whatsoever.

Just for the record, our user is a SAP employee who needs to access the SAP
internal network from our office. They have a setup to allow workers to
connect from home, etc, but obviously they didn't thought they could connect
from another LAN...

----- Original Message ----- 
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: "netfilter" <netfilter@lists.netfilter.org>
Sent: Friday, February 13, 2004 18:12
Subject: Re: Routing problem


> On Friday 13 February 2004 4:30 pm, Carlos Fernandez Sanz wrote:
>
> > > > Before you ask: I can't connect this special computer to the same
place
> > > > I connect the linux box (which would be the obvious solution)
because
> > > > the carrier expects traffic to come from one WAN IP, owned by the
linux
> > > > box.
> > >
> > > How do they expect you to use any of the other IPs in the pool they
have
> > > given you?
> >
> > I do use them by redirecting traffic from the linux box to the
destination
> > boxes (such as all trafic for public IP 2 goes to 192.168.21.2, for
> > example). This works fine, *except* in this particular case, where any
> > NATing is not an option. I need the computer behind the linux box to
> > actually own the public address, because it signs packets with it.
>
> I still don't understand.   One of your above statements must be
incorrect:
>
>  - either the ISP requires all your outgoing traffic to come from a single
> public address,
>
>  - or you can send traffic from IP1, IP2, IP3 etc as you wish.
>
> If the first is true (you have to send all traffic from just a single
address)
> then I don't see how you can do NAT from IP2 to 192.168.21.2, because the
> reply packets going back out to the Internet are going to have the source
> address (after de-NATting) of IP2 - therefore you *are* being allowed to
send
> from more than one public IP.
>
> If the second is true (you can send from IP1, IP2, IP3 etc as you wish)
then
> as you said in the first place, you can connect the user who wants to use
> some nasty protocol which embeds OSI layer 3 information into OSI layer 7
> traffic to the same place as your existing Linux box and give them a real
> public IP of their own.
>
> What does your ISP claim will happen if you use more than one of your
assigned
> pool of IP addresses for the source address of outgoing traffic?
>
> Antony.
>
> -- 
> The first fifty percent of an engineering project takes ninety percent of
the
> time, and the remaining fifty percent takes another ninety percent of the
> time.
>
>

Re: Routing problem

[Carlos Fernandez Sanz]

Scott,

By "carrier expects traffic to come from one WAN IP" I don't mean it has to
have that origin IP but come from a router with that IP.

Obviously they assumed that the regular setup is

Internet <----> their router <-----> our router <------> Box with IP #1
(could be a firewall) <-----> NAT

(i.e. there would be one router whose job in life is to get traffic from
their router and direct it to us)

However we are a small company and we need to have everything in one box,
i.e. the router that connects with the carrier, the firewall, the web
server, etc :-)



----- Original Message ----- 
From: "Scott MacKay" <scottmackay@yahoo.com>
To: "Carlos Fernandez Sanz" <cfs-netfilter@nisupu.com>; "netfilter"
<netfilter@lists.netfilter.org>
Sent: Friday, February 13, 2004 18:16
Subject: Re: Routing problem


> AH, I think I get what you are saying.
> You have a linux doing NAT, 1 public IP on the outside
> and 1 private on the inside.  You also have a spare
> public IP which you want to put on a client so they
> can do some funky things which requires them having a
> real IP address.
> 1 question about your statement.  Where you say
> "carrier expects traffic to come from one WAN IP"
> kinda goes against what you implied by "public IP 2".
> If you have 2 pubic IPs, they they cannot expect your
> traffic to come from 1 WAN IP.  Even if you NAT a
> private address explicitly to the 2nd public IP
> address that counts as 2.  Do you have 1 or 2 public
> IP addresses?
> If you are given 2, then you should be able to do the
> config mentioned, putting the client on the same side
> as the router's public IP (since they are both in the
> same class C).  If you have 1, well you are SOL.
>
>
>
>
>
>
>
>
> --- Carlos Fernandez Sanz <cfs-netfilter@nisupu.com>
> wrote:
> > > >
> > > > Before you ask: I can't connect this special
> > computer to the same place
> > I
> > > > connect the linux box (which would be the
> > obvious solution) because the
> > > > carrier expects traffic to come from one WAN IP,
> > owned by the linux box.
> > >
> > > How do they expect you to use any of the other IPs
> > in the pool they have
> > given
> > > you?
> >
> > I do use them by redirecting traffic from the linux
> > box to the destination
> > boxes (such as all trafic for public IP 2 goes to
> > 192.168.21.2, for
> > example). This works fine, *except* in this
> > particular case, where any
> > NATing is not an option. I need the computer behind
> > the linux box to
> > actually own the public address, because it signs
> > packets with it.
> >
> >
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance: Get your refund fast by filing online.
> http://taxes.yahoo.com/filing.html
>

Re: Routing problem

[Antony Stone]

On Saturday 14 February 2004 8:41 am, Carlos Fernandez Sanz wrote:

> The link between the carrier and the linux box happens using WAN addresses,
> ie. 172.x.y.1 (them) <--> 172.x.y.99 (us). All traffic is exchanged using
> those two addresses - they just won't route traffic not being routed from
> 172.x.y.99.

Oh, so when you say "WAN address", you actually mean another private address 
(172.x.x.1), not the public address you've been assigned as part of your 
pool?

I think I understand now - you're talking about the router addresses which can 
talk to each other, not the source addresses of the packets being routed...

> We own *5* public addresses, and they route the traffic to all those
> addresses via 172.x.y.99 (our router).

Okay.

> The route also has 192.168.21.1 on another NIC, which is connected to our
> own LAN. It also has our first public address - so traffic we generate to
> internet uses this public address, and traffic coming from internet goes to
> this public address. (being routed through the 172.x.y.z) addresses.

What (exactly) do you mean by "It also has our first public address"?   Is 
that public IP assigned to one of your router's interfaces?   If it is, then 
simply connect the machine needing the second public IP address on it to that 
interface, pointing to the first public IP as the default route.   Provided 
your NAT rules are only applied to what was originally 192.168.21.x traffic, 
then those packets with (source address = second public IP) will simply go 
through the router and work without NAT.

If, on the other hand, you don't mean that the first public IP has been 
assigned to one of the interfaces on your router, then I see you have three 
choices (no doubt there are others, maybe some will be suggested by people):

1. Add another interface to the router, assign it your first public IP, and 
proceed as described in the paragraph above.

2. Add another interface to the machine requiring the public IP, make sure the 
software running on it binds to the public IP and not the private one, and 
set up a route on your router telling it "public IP number 2 can be found via 
this gateway", giving it the private address of the special machine as the 
gateway address.

3. Add an interface to the router and assign it some completely new IP 
address, outside any of the network ranges you are currently using (eg 
192.168.250.1), and create a point-to-point link to the machine requiring the 
public IP (which now needs only one interface, and is assigned that public 
IP, but again using a point-to-point route).

You might be able to achieve any of the above using a virtual interface 
instead of a physical one, but that would be harder to debug in the event of 
problems.

I hope we're getting somewhere now :)

> Just for the record, our user is a SAP employee who needs to access the SAP
> internal network from our office. They have a setup to allow workers to
> connect from home, etc, but obviously they didn't thought they could connect
> from another LAN...

Why don't they just use a VPN?

Antony.

-- 
In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.

In poetry, it is the exact opposite.

 - Paul Dirac

Re: Routing problem

[Carlos Fernandez Sanz]

> > The link between the carrier and the linux box happens using WAN
addresses,
> > ie. 172.x.y.1 (them) <--> 172.x.y.99 (us). All traffic is exchanged
using
> > those two addresses - they just won't route traffic not being routed
from
> > 172.x.y.99.
>
> Oh, so when you say "WAN address", you actually mean another private
address
> (172.x.x.1), not the public address you've been assigned as part of your
> pool?

Exactly. WAN is the term the carrier uses for this.
>
> I think I understand now - you're talking about the router addresses which
can
> talk to each other, not the source addresses of the packets being
routed...

Exactly. Those are always public IP addresses.

> > The route also has 192.168.21.1 on another NIC, which is connected to
our
> > own LAN. It also has our first public address - so traffic we generate
to
> > internet uses this public address, and traffic coming from internet goes
to
> > this public address. (being routed through the 172.x.y.z) addresses.
>
> What (exactly) do you mean by "It also has our first public address"?   Is
> that public IP assigned to one of your router's interfaces?   If it is,
then
> simply connect the machine needing the second public IP address on it to
that
> interface, pointing to the first public IP as the default route.
Provided
> your NAT rules are only applied to what was originally 192.168.21.x
traffic,
> then those packets with (source address = second public IP) will simply go
> through the router and work without NAT.
>
> If, on the other hand, you don't mean that the first public IP has been
> assigned to one of the interfaces on your router, then I see you have
three
> choices (no doubt there are others, maybe some will be suggested by
people):
>
> 1. Add another interface to the router, assign it your first public IP,
and
> proceed as described in the paragraph above.
>
> 2. Add another interface to the machine requiring the public IP, make sure
the
> software running on it binds to the public IP and not the private one, and
> set up a route on your router telling it "public IP number 2 can be found
via
> this gateway", giving it the private address of the special machine as the
> gateway address.
>
> 3. Add an interface to the router and assign it some completely new IP
> address, outside any of the network ranges you are currently using (eg
> 192.168.250.1), and create a point-to-point link to the machine requiring
the
> public IP (which now needs only one interface, and is assigned that public
> IP, but again using a point-to-point route).
>
> You might be able to achieve any of the above using a virtual interface
> instead of a physical one, but that would be harder to debug in the event
of
> problems.
>
> I hope we're getting somewhere now :)
>
> > Just for the record, our user is a SAP employee who needs to access the
SAP
> > internal network from our office. They have a setup to allow workers to
> > connect from home, etc, but obviously they didn't thought they could
connect
> > from another LAN...
>
> Why don't they just use a VPN?
>
> Antony.
>
> -- 
> In science, one tries to tell people
> in such a way as to be understood by everyone
> something that no-one ever knew before.
>
> In poetry, it is the exact opposite.
>
>  - Paul Dirac
>
>

Re: Routing problem

[Carlos Fernandez Sanz]

(sorry, the first time it went out incomplete)

> > The link between the carrier and the linux box happens using WAN
addresses,
> > ie. 172.x.y.1 (them) <--> 172.x.y.99 (us). All traffic is exchanged
using
> > those two addresses - they just won't route traffic not being routed
from
> > 172.x.y.99.
>
> Oh, so when you say "WAN address", you actually mean another private
address
> (172.x.x.1), not the public address you've been assigned as part of your
> pool?

Exactly. WAN is the term the carrier uses for this.
>
> I think I understand now - you're talking about the router addresses which
can
> talk to each other, not the source addresses of the packets being
routed...

Exactly. Those are always public IP addresses.

> > The route also has 192.168.21.1 on another NIC, which is connected to
our
> > own LAN. It also has our first public address - so traffic we generate
to
> > internet uses this public address, and traffic coming from internet goes
to
> > this public address. (being routed through the 172.x.y.z) addresses.
>
> What (exactly) do you mean by "It also has our first public address"?   Is
> that public IP assigned to one of your router's interfaces?   If it is,

Actually I don't have it *assigned*, because the interface where packets
come from internet has 172.x.y.99... so when anything comes to our first
public address, I DNAT it to the router private address. I guess I could 'ip
addr add' the IP instead of doing this.
then
> simply connect the machine needing the second public IP address on it to
that
> interface,

How? By connecting the router interface, the second machine, and the carrier
gateway to the same switch/hub? I'm not sure that would do, remember that
packets to the internet must come from the router using the 172.x.y.99
address...so the second machine and the carrier gateway can't talk to each
other directly.


Carlos.

Re: Routing problem

[Antony Stone]

On Saturday 14 February 2004 3:19 pm, Carlos Fernandez Sanz wrote:

> > What (exactly) do you mean by "It also has our first public address"?  
> > Is that public IP assigned to one of your router's interfaces?   If it
> > is,
>
> Actually I don't have it *assigned*, because the interface where packets
> come from internet has 172.x.y.99... so when anything comes to our first
> public address, I DNAT it to the router private address. I guess I could
> 'ip addr add' the IP instead of doing this.

> > then simply connect the machine needing the second public IP address on it
> > to that interface,
>
> How? By connecting the router interface, the second machine, and the
> carrier gateway to the same switch/hub?

No, the router (external I/F) is connected to the carrier gateway (these are 
talking to each other ising 172.x.y.z).   Leave these as they are and connect 
nothing else to them.

Assign public IP number 1 as a second address to the router's internal 
interface (alongside 192.168.21.1), and assign public IP number 2 to the 
machine which is causing all the trouble.   That machine is already connected 
to your internal hub/switch, so therefore it can talk to the router, using 
public IP number 1 as its default gateway address.

Hope this is clear now.

Why didn't the user requiring secure access to the system just use a VPN?

Antony.

-- 
My New Year's resolution is not to make any resolutions I can't keep.

I'm wondering whether I've failed already.

Problems with kernel 2.6.1 and iptables

[Jan Kaastrup]

Hi list
I have search google for this error most of my weekend, and I cannot get
the answer :(
I have upgraded my kernel to 2.6.1 and made all the iptables stuff as
modules.
I can load all modules by hand perfectly, but still i get this error:
#Iptables -L
iptables v1.2.9: can't initialize iptables table `filter': Table does
not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I have reinstalled iptables and done depmod -a
I have installed module-init-tools-2.0-pre10

It seems like it cannot mount modules automaticly, any ideas?
Which modules should absolutly be loaded, to make iptables work?
Could it be, that i am missing a
iptables-need-to-be-installed-to-make-iptables-work-for-kernel-2.6.x-pac
ket?

Thanks a lot



-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: 13. februar 2004 18:13
To: netfilter
Subject: Re: Routing problem


On Friday 13 February 2004 4:30 pm, Carlos Fernandez Sanz wrote:

> > > Before you ask: I can't connect this special computer to the same
place
> > > I connect the linux box (which would be the obvious solution)
because
> > > the carrier expects traffic to come from one WAN IP, owned by the
linux
> > > box.
> >
> > How do they expect you to use any of the other IPs in the pool they
have
> > given you?
>
> I do use them by redirecting traffic from the linux box to the
destination
> boxes (such as all trafic for public IP 2 goes to 192.168.21.2, for
> example). This works fine, *except* in this particular case, where any
> NATing is not an option. I need the computer behind the linux box to
> actually own the public address, because it signs packets with it.

I still don't understand.   One of your above statements must be
incorrect:

 - either the ISP requires all your outgoing traffic to come from a
single 
public address,

 - or you can send traffic from IP1, IP2, IP3 etc as you wish.

If the first is true (you have to send all traffic from just a single
address) 
then I don't see how you can do NAT from IP2 to 192.168.21.2, because
the 
reply packets going back out to the Internet are going to have the
source 
address (after de-NATting) of IP2 - therefore you *are* being allowed to
send 
from more than one public IP.

If the second is true (you can send from IP1, IP2, IP3 etc as you wish)
then 
as you said in the first place, you can connect the user who wants to
use 
some nasty protocol which embeds OSI layer 3 information into OSI layer
7 
traffic to the same place as your existing Linux box and give them a
real 
public IP of their own.

What does your ISP claim will happen if you use more than one of your
assigned 
pool of IP addresses for the source address of outgoing traffic?

Antony.

-- 
The first fifty percent of an engineering project takes ninety percent
of the 
time, and the remaining fifty percent takes another ninety percent of
the 
time.

Re: Problems with kernel 2.6.1 and iptables

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 3493 bytes --]

On Mon, 2004-02-16 at 12:13, Jan Kaastrup wrote:
> Hi list
> I have search google for this error most of my weekend, and I cannot get
> the answer :(
> I have upgraded my kernel to 2.6.1 and made all the iptables stuff as
> modules.
> I can load all modules by hand perfectly, but still i get this error:
> #Iptables -L
> iptables v1.2.9: can't initialize iptables table `filter': Table does
> not exist (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.
> 
The 'filter' table does not exist by default, but the 'FILTER' table
does. Is this a user chain than you created?

> I have reinstalled iptables and done depmod -a
> I have installed module-init-tools-2.0-pre10
> 
> It seems like it cannot mount modules automaticly, any ideas?
> Which modules should absolutly be loaded, to make iptables work?
> Could it be, that i am missing a
> iptables-need-to-be-installed-to-make-iptables-work-for-kernel-2.6.x-pac
> ket?
> 
> Thanks a lot
> 
> 
> 
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
> Sent: 13. februar 2004 18:13
> To: netfilter
> Subject: Re: Routing problem
> 
> 
> On Friday 13 February 2004 4:30 pm, Carlos Fernandez Sanz wrote:
> 
> > > > Before you ask: I can't connect this special computer to the same
> place
> > > > I connect the linux box (which would be the obvious solution)
> because
> > > > the carrier expects traffic to come from one WAN IP, owned by the
> linux
> > > > box.
> > >
> > > How do they expect you to use any of the other IPs in the pool they
> have
> > > given you?
> >
> > I do use them by redirecting traffic from the linux box to the
> destination
> > boxes (such as all trafic for public IP 2 goes to 192.168.21.2, for
> > example). This works fine, *except* in this particular case, where any
> > NATing is not an option. I need the computer behind the linux box to
> > actually own the public address, because it signs packets with it.
> 
> I still don't understand.   One of your above statements must be
> incorrect:
> 
>  - either the ISP requires all your outgoing traffic to come from a
> single 
> public address,
> 
>  - or you can send traffic from IP1, IP2, IP3 etc as you wish.
> 
> If the first is true (you have to send all traffic from just a single
> address) 
> then I don't see how you can do NAT from IP2 to 192.168.21.2, because
> the 
> reply packets going back out to the Internet are going to have the
> source 
> address (after de-NATting) of IP2 - therefore you *are* being allowed to
> send 
> from more than one public IP.
> 
> If the second is true (you can send from IP1, IP2, IP3 etc as you wish)
> then 
> as you said in the first place, you can connect the user who wants to
> use 
> some nasty protocol which embeds OSI layer 3 information into OSI layer
> 7 
> traffic to the same place as your existing Linux box and give them a
> real 
> public IP of their own.
> 
> What does your ISP claim will happen if you use more than one of your
> assigned 
> pool of IP addresses for the source address of outgoing traffic?
> 
> Antony.
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Problems with kernel 2.6.1 and iptables

[Antony Stone]

On Monday 16 February 2004 10:26 am, Ray Leach wrote:

> The 'filter' table does not exist by default, but the 'FILTER' table
> does. Is this a user chain than you created?

I think you're getting confused here about the difference between chains and 
tables.

Chains are normally named in uppercase; standard ones are INPUT, OUTPUT, 
PREROUTING, POSTROUTING, FORWARD.   User-defined chains can of course be 
added.

Tables are normally named in lowercase; standard ones are filter, nat, mangle.   
Adding a user-defined table is quite a significant programming task, and not 
to be assumed in a reasonably standard configuration of netfilter :)

The 'filter' table should exist in any healthy netfilter install.

Regards,

Antony.

-- 
If at first you don't succeed, destroy all the evidence that you tried.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Problems with kernel 2.6.1 and iptables

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1146 bytes --]

On Mon, 2004-02-16 at 12:47, Antony Stone wrote:
> On Monday 16 February 2004 10:26 am, Ray Leach wrote:
> 
> > The 'filter' table does not exist by default, but the 'FILTER' table
> > does. Is this a user chain than you created?
> 
> I think you're getting confused here about the difference between chains and 
> tables.
> 
Thank you, you are quite correct ...

> Chains are normally named in uppercase; standard ones are INPUT, OUTPUT, 
> PREROUTING, POSTROUTING, FORWARD.   User-defined chains can of course be 
> added.
> 
> Tables are normally named in lowercase; standard ones are filter, nat, mangle.   
> Adding a user-defined table is quite a significant programming task, and not 
> to be assumed in a reasonably standard configuration of netfilter :)
> 
> The 'filter' table should exist in any healthy netfilter install.
> 
> Regards,
> 
> Antony.
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Problems with kernel 2.6.1 and iptables

[Alexis]

you need to change some things in /etc/rc.sysinit in order to modules
work again.

check for /proc/ksyms in that file and change it to /proc/kallsyms.
then do a depmod -a

maybe these changes could help you

http://thomer.com/linux/migrate-to-2.6.html


hope it helps



Hello Jan,

Monday, February 16, 2004, 7:13:48 AM, you wrote:

JK> Hi list
JK> I have search google for this error most of my weekend, and I cannot get
JK> the answer :(
JK> I have upgraded my kernel to 2.6.1 and made all the iptables stuff as
JK> modules.
JK> I can load all modules by hand perfectly, but still i get this error:
JK> #Iptables -L
JK> iptables v1.2.9: can't initialize iptables table `filter': Table does
JK> not exist (do you need to insmod?)
JK> Perhaps iptables or your kernel needs to be upgraded.

JK> I have reinstalled iptables and done depmod -a
JK> I have installed module-init-tools-2.0-pre10

JK> It seems like it cannot mount modules automaticly, any ideas?
JK> Which modules should absolutly be loaded, to make iptables work?
JK> Could it be, that i am missing a
JK> iptables-need-to-be-installed-to-make-iptables-work-for-kernel-2.6.x-pac
JK> ket?

JK> Thanks a lot



JK> -----Original Message-----
JK> From: netfilter-admin@lists.netfilter.org
JK> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
JK> Sent: 13. februar 2004 18:13
JK> To: netfilter
JK> Subject: Re: Routing problem


JK> On Friday 13 February 2004 4:30 pm, Carlos Fernandez Sanz wrote:

>> > > Before you ask: I can't connect this special computer to the same
JK> place
>> > > I connect the linux box (which would be the obvious solution)
JK> because
>> > > the carrier expects traffic to come from one WAN IP, owned by the
JK> linux
>> > > box.
>> >
>> > How do they expect you to use any of the other IPs in the pool they
JK> have
>> > given you?
>>
>> I do use them by redirecting traffic from the linux box to the
JK> destination
>> boxes (such as all trafic for public IP 2 goes to 192.168.21.2, for
>> example). This works fine, *except* in this particular case, where any
>> NATing is not an option. I need the computer behind the linux box to
>> actually own the public address, because it signs packets with it.

JK> I still don't understand.   One of your above statements must be
JK> incorrect:

JK>  - either the ISP requires all your outgoing traffic to come from a
JK> single 
JK> public address,

JK>  - or you can send traffic from IP1, IP2, IP3 etc as you wish.

JK> If the first is true (you have to send all traffic from just a single
JK> address) 
JK> then I don't see how you can do NAT from IP2 to 192.168.21.2, because
JK> the 
JK> reply packets going back out to the Internet are going to have the
JK> source 
JK> address (after de-NATting) of IP2 - therefore you *are* being allowed to
JK> send 
JK> from more than one public IP.

JK> If the second is true (you can send from IP1, IP2, IP3 etc as you wish)
JK> then 
JK> as you said in the first place, you can connect the user who wants to
JK> use 
JK> some nasty protocol which embeds OSI layer 3 information into OSI layer
JK> 7 
JK> traffic to the same place as your existing Linux box and give them a
JK> real 
JK> public IP of their own.

JK> What does your ISP claim will happen if you use more than one of your
JK> assigned 
JK> pool of IP addresses for the source address of outgoing traffic?

JK> Antony.



-- 
Best regards,
 Alexis                            mailto:alexis@attla.net.ar

RE: Problems with kernel 2.6.1 and iptables

[Jan Kaastrup]

Hi 
Thanks so much for the answer.
That did the trick.
Now the iptables modules can be loaded automaticly!

I found out that it could not load the module iptable_filter.
So doing:
#modprobe iptable_filter - made it work.


 



-----Original Message-----
From: Alexis [mailto:alexis@attla.net.ar] 
Sent: 16. februar 2004 14:18
To: Jan Kaastrup
Cc: netfilter
Subject: Re: Problems with kernel 2.6.1 and iptables


you need to change some things in /etc/rc.sysinit in order to modules
work again.

check for /proc/ksyms in that file and change it to /proc/kallsyms.
then do a depmod -a

maybe these changes could help you

http://thomer.com/linux/migrate-to-2.6.html


hope it helps



Hello Jan,

Monday, February 16, 2004, 7:13:48 AM, you wrote:

JK> Hi list
JK> I have search google for this error most of my weekend, and I cannot
get
JK> the answer :(
JK> I have upgraded my kernel to 2.6.1 and made all the iptables stuff
as
JK> modules.
JK> I can load all modules by hand perfectly, but still i get this
error:
JK> #Iptables -L
JK> iptables v1.2.9: can't initialize iptables table `filter': Table
does
JK> not exist (do you need to insmod?)
JK> Perhaps iptables or your kernel needs to be upgraded.

JK> I have reinstalled iptables and done depmod -a
JK> I have installed module-init-tools-2.0-pre10

JK> It seems like it cannot mount modules automaticly, any ideas?
JK> Which modules should absolutly be loaded, to make iptables work?
JK> Could it be, that i am missing a
JK>
iptables-need-to-be-installed-to-make-iptables-work-for-kernel-2.6.x-pac
JK> ket?

JK> Thanks a lot