Re: Wrong routing when combining ip rule with SNAT

[Nikolaus Rath <Nikolaus@rath.org>]

On 09/14/2013 06:41 AM, Pascal Hambourg wrote:
> Vigneswaran R a écrit :
>> Hello Nikolaus,
>>
>> I have a doubt. It seems, rath of ebox is assigned with IP address in 
>> the range 192.168.12.0/24. However, IP address of vostro seems to be 
>> 192.168.17.47 (assuming /24). Ebox doesn't have any route to this range. 
>> So it try to use default route via eth0.
> 
> Correct.
> 
>> What I assume is, 'vostro' has IP addresses in (atleast) two ranges 
>> (192.168.12.0/24, 192.168.17.0/24). In the default routing table, the 
>> src IP is set to 192.168.12.x (for the packets originating from vostro). 
>> However, the 'tovpn' table didn't specify the src IP. So, when the 
>> 'tovpn' table is being used, the packets may have got the src IP as 
>> 192.168.17.x.
>>
>> I think, you can avoid this by explicitly specifying the src IP when 
>> adding the route to 'tovpn' table,
>>
>>      ip route add default via 192.168.12.1 src 192.168.12.x table tovpn
> 
> This won't work. It's too late. The source address has already been
> selected by the TCP layer when the packet was created and won't be
> changed when the packet is re-routed due to the mark.

I see. Out of curiosity: how is the source address selected when the
packet is created, and in which situation would the source entry in the
routing table become effective?

> Possible workarounds :
> - Add a route on ebox to let it know that 192.168.17.47 is reachable
> through rath. My favourite choice.

Yes, that would be the simplest solution. But the problem is that this
address varies depending how and where vostro got its connectivity. Or
did you mean something other than a static extra route?

> - Use SNAT to the address of the output interface on vostro.

Sounds ugly...

> - Use connection mark (connmark) by iptables on ebox so that replies to
> original packets received on a given interface are forwarded to the same
> interface.

I guess I'll try this. Could you give some more details? I'm not sure
how to create a rule that *changes* the outgoing interface.



Best,

   -Nikolaus

-- 
 »Time flies like an arrow, fruit flies like a Banana.«

  PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6  02CF A9AD B7F8 AE4E 425C