[LARTC] tables and default

[LARTC] tables and default

[Sandro Dentella]

I already setup several 2 gateways boxes, with rules too decide which lan
should use which gateway.

Now I'm stuck with a simpler problem. At home I was just making some
experimental setup:

  *  1 adsl (ppp0)
  *  1 more tables in rt_tables (200 ping) called "bluff"
  *  table 'bluff *has not* a default route

       root@fw-eden root # ip ro li table bluff
       192.168.5.0/24 dev eth1  scope link 

  *  ip rule add from 192.168.5.2 table bluff prio 50

       root@fw-eden root # ip ru li
       0:      from all lookup local 
       50:     from 192.168.5.0/24 lookup bluff 
       32766:  from all lookup main 
       32767:  from all lookup default 


Now I would think that pinging from  192.168.5.2 outside the LAN should not
work and in fact:

    root@fw-eden root # ip ro get 62.207.143.51 from 192.168.5.2
    RTNETLINK answers: Invalid argument

but if I try I can flawlessly get out. Is this related to SNAT? In my opinion
that should come afterwords since SNAT in in the POSTrouting chain.

Any hints?  TYA
sandro
*:-)


-- 
Sandro Dentella  *:-)
e-mail: sandro@e-den.it 
http://www.tksql.org                    TkSQL Home page - My GPL work
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] tables and default

[Martin A. Brown]

Hello Sandro,

 :   *  1 adsl (ppp0)
 :   *  1 more tables in rt_tables (200 ping) called "bluff"

All OK!

 :   *  table 'bluff *has not* a default route

This is the problem.

 :        root@fw-eden root # ip ro li table bluff
 :        192.168.5.0/24 dev eth1  scope link
 :
 :   *  ip rule add from 192.168.5.2 table bluff prio 50
 :
 :        root@fw-eden root # ip ru li
 :        0:      from all lookup local
 :        50:     from 192.168.5.0/24 lookup bluff
 :        32766:  from all lookup main
 :        32767:  from all lookup default
 :
 : Now I would think that pinging from 192.168.5.2 outside the LAN
 : should not work and in fact:
 :
 :     root@fw-eden root # ip ro get 62.207.143.51 from 192.168.5.2
 :     RTNETLINK answers: Invalid argument
 :
 : but if I try I can flawlessly get out.

First thing--I don't know why you are seeing this error from 'ip
route get'.  This should return the real route chosen.  You could
always try the ping and then check the route cache.  This should
help you identify the actual route chosen.

Here's what's happening.

  - kernel gets packet and needs to select a route
  - according to rule 0, we look up in table local
  - perform route lookup in table local--no match!
  - according to rule 50, we look up in table bluff
  - perform route lookup in table local--no match!
  - according to rule 32767, we look up in table main
  - perform route lookup in table main-- MATCH!
  - route packet out default gateway

If you add a route to table bluff as follows, you should effectively
prevent 192.168.5.0/24 from reaching any network other than
192.168.5.0/24.

  ip route add blackhole default table bluff

Now, any packets addressed from 192.168.5.0/24 will be blackholed.
This may not be quite what you desire, particularly if packets
addressed from 192.168.5.0/24 are created by your own router, so you
could always say:

  ip rule del prio 50 from 192.168.5.0/24 table bluff
  ip rule add prio 50 from 192.168.5.0/24 iif eth1 table bluff

Then again, you don't describe your network completely, so I could
be steering you wrong here.

And by the way, unless you have some very strange (but not
inconceivable) routes on your hosts inside the 192.168.5.0/24
network, you won't need to specify the route

  192.168.5.0/24 dev eth1  scope link

in table bluff.

 : Is this related to SNAT? In my opinion that should come
 : afterwords since SNAT in in the POSTrouting chain.

Nope!  No SNAT problem here!

-Martin

--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] tables and default

[Sandro Dentella]

> First thing--I don't know why you are seeing this error from 'ip
> route get'.  This should return the real route chosen.  You could
> always try the ping and then check the route cache.  This should
> help you identify the actual route chosen.
> 
> Here's what's happening.
> 
>   - kernel gets packet and needs to select a route
>   - according to rule 0, we look up in table local
>   - perform route lookup in table local--no match!
>   - according to rule 50, we look up in table bluff
>   - perform route lookup in table local--no match!
>   - according to rule 32767, we look up in table main
>   - perform route lookup in table main-- MATCH!
>   - route packet out default gateway
> 
> If you add a route to table bluff as follows, you should effectively
> prevent 192.168.5.0/24 from reaching any network other than
> 192.168.5.0/24.
> 
>   ip route add blackhole default table bluff

thanks a lot for the explanation. This definitely solved my doubts. The only
remainig problem is the 'ip route get' error. I'm sure that in some moments
yesterday I culd get an answer, now it always give errors, independent from
the rule set...

sandro
*:-)


-- 
Sandro Dentella  *:-)
e-mail: sandro@e-den.it 
http://www.tksql.org                    TkSQL Home page - My GPL work
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/