ICMP traffic + iproute + tunnel problems

ICMP traffic + iproute + tunnel problems

[Bart Matthaei]

Hi All,

I have the following problem:

I have a tunnel between my home router and my colocated machine.
I use source routing (iproute) to route all traffic coming from my home
network (public ipspace) over the tunnel.

Everything works fine. But when a user traceroutes a host in my home
network, or sends traffic to an unreachable host, all ICMP replies are
coming from the ip address of my cable connection (eth0), which is still
the default route on the home router itself.

I don't want to change the default route to my tunnel for various reasons I
don't want to explain here.

217.170.2.120/29 is my home network.

217.170.2.119 is my local tunnel endpoint.
217.170.2.118 is my remote tunnel endpoint.

I've tried the following:

# this catches all traffic traveling out from eth0 which was originated
# from the tunnel.
iptables -A OUTPUT -t mangle -m conntrack --ctorigdst 217.170.2.120/29 -o eth0 -j MARK --set-mark 1

# This sends all the marked packets to routing table 2. I've also added
# 'nat 217.170.2.119', but it doesn't fix things.
ip ru add fwmark 1 table 2

# This sends the traffic through the tunnel
ip ro add default via 217.170.2.118 dev tunnel src 217.170.2.119 table 2

Ok, all of this works. Except for one thing; the source isn't altered.

So the packets are sent through the tunnel, but the source address is still
the eth0 ip, which can't be routed through the tunnel.

The only logical alternative is SNAT on the OUTPUT chain, which isn't
possible with netfilter at this point.

Is there another way to do this?

Regards,

Bart Matthaei

-- 
Bart Matthaei                    bart@dreamflow.nl 

Sometimes a cigar is just a cigar.
                -- Sigmund Freud

Re: ICMP traffic + iproute + tunnel problems

[Antony Stone]

On Wednesday 19 May 2004 10:11 pm, Bart Matthaei wrote:

> Hi All,
>
> I have the following problem:
>
> I have a tunnel between my home router and my colocated machine.
> I use source routing (iproute) to route all traffic coming from my home
> network (public ipspace) over the tunnel.
>
> Everything works fine. But when a user traceroutes a host in my home
> network, or sends traffic to an unreachable host, all ICMP replies are
> coming from the ip address of my cable connection (eth0), which is still
> the default route on the home router itself.

I don't see that the result could be any different, since the source of the 
packets going back to the external address really is your cable connection on 
eth0 - not an internal address which can be used to match any source-routing 
rule.

If someone pings (or telnets, or whatever) an unreachable host on your network 
(or should that be an unreachable host not on your network...?), then the 
host itself obviously cannot send back a response - it is the upstream router 
which does this, and the source address of the response it sends is that of 
its own external interface.

Maybe you should block incoming traceroutes (ie don't send back TTL exceeded 
ICMP responses), and be selective about what other ICMP responses you allow 
back (such as host / port / network unreachable)?

Regards,

Antony.

-- 
Bill Gates has personally assured the Spanish Academy that he will never allow 
the upside-down question mark to disappear from Microsoft word-processing 
programs, which must be reassuring for millions of Spanish-speaking people, 
though just a piddling afterthought as far as he's concerned.

 - Lynne Truss, "Eats, Shoots and Leaves"

                                                     Please reply to the list;
                                                           please don't CC me.

Re: ICMP traffic + iproute + tunnel problems

[Bart Matthaei]

On Wed, May 19, 2004 at 10:33:27PM +0100, Antony Stone wrote:
> On Wednesday 19 May 2004 10:11 pm, Bart Matthaei wrote:
> 
> > Hi All,
> >
> > I have the following problem:
> >
> > I have a tunnel between my home router and my colocated machine.
> > I use source routing (iproute) to route all traffic coming from my home
> > network (public ipspace) over the tunnel.
> >
> > Everything works fine. But when a user traceroutes a host in my home
> > network, or sends traffic to an unreachable host, all ICMP replies are
> > coming from the ip address of my cable connection (eth0), which is still
> > the default route on the home router itself.
> 
> I don't see that the result could be any different, since the source of the 
> packets going back to the external address really is your cable connection on 
> eth0 - not an internal address which can be used to match any source-routing 
> rule.
> 
> If someone pings (or telnets, or whatever) an unreachable host on your network 
> (or should that be an unreachable host not on your network...?), then the 
> host itself obviously cannot send back a response - it is the upstream router 
> which does this, and the source address of the response it sends is that of 
> its own external interface.
> 
> Maybe you should block incoming traceroutes (ie don't send back TTL exceeded 
> ICMP responses), and be selective about what other ICMP responses you allow 
> back (such as host / port / network unreachable)?

Ok. So it isn't possible to isolate certain icmp packets (which I already
did with the MARK trick) and send them with an alternative source address?

Cheers,

Bart

-- 
Bart Matthaei                    bart@dreamflow.nl 

Sometimes a cigar is just a cigar.
                -- Sigmund Freud

ICMP traffic + iproute + tunnel problems

[Bart Matthaei]

Hi All,

I have the following problem:

I have a tunnel between my home router and my colocated machine.
I use source routing (iproute) to route all traffic coming from my home
network (public ipspace) over the tunnel.

Everything works fine. But when a user traceroutes a host in my home
network, or sends traffic to an unreachable host, all ICMP replies are
coming from the ip address of my cable connection (eth0), which is still
the default route on the home router itself.

I don't want to change the default route to my tunnel for various reasons I
don't want to explain here.

217.170.2.120/29 is my home network.

217.170.2.119 is my local tunnel endpoint.
217.170.2.118 is my remote tunnel endpoint.

I've tried the following:

# this catches all traffic traveling out from eth0 which was originated
# from the tunnel.
iptables -A OUTPUT -t mangle -m conntrack --ctorigdst 217.170.2.120/29 -o eth0 -j MARK --set-mark 1

# This sends all the marked packets to routing table 2. I've also added
# 'nat 217.170.2.119', but it doesn't fix things.
ip ru add fwmark 1 table 2

# This sends the traffic through the tunnel
ip ro add default via 217.170.2.118 dev tunnel src 217.170.2.119 table 2

Ok, all of this works. Except for one thing; the source isn't altered.

So the packets are sent through the tunnel, but the source address is still
the eth0 ip, which can't be routed through the tunnel.

The only logical alternative is SNAT on the OUTPUT chain, which isn't
possible with netfilter at this point.

Is there another way to do this?

Regards,

Bart Matthaei

-- 
Bart Matthaei                    bart@dreamflow.nl 

Sometimes a cigar is just a cigar.
                -- Sigmund Freud