RE: [LARTC] ipchains iproute2 and port based routing

["Martin A. Brown" <mabrown-lartc@securepipe.com>]

Hi again, Marco,

 : I made every new try a ipchains -F  -  there was no other chain(s).

Got it.

 : Okay, it seems there is a problem. In this DENY chain I get after every
 : ping 4 more packets (one ping - 4 tries).
 : It seems ipchains deny the incoming icmp packets on eth2. But why?
 : I tried also to specify the source ip with some other chains, and it is
 : the packet, that comes from the host 62.154.89.102 - exactly the packet
 : I am waiting for.
 : 
 : A ipchains -nML shows a open masq connection to the host, I ping'd:
 : 
 : IP masquerading entries
 : prot expire   source               destination          ports
 : ICMP 00:57.85 192.168.0.31         62.154.89.102        512 (61009) -> 8

All is well.

 : 0:      from all lookup local
 : 32765:  from all fwmark        2 lookup 10
 : 32766:  from all lookup main
 : 32767:  from all lookup 253
 : 
 : there is a timeout. It shows me, the marking of packets works and the ip
 : rules can see the marked packets.

Looks right.

 : >By the way, you are using "ip route flush cache" every time you make
 : >changes to the routing tables/RPDB, right?
 :
 : Yes, i do.

This is just a common problem--so I wanted to ask.

 : >Aigh!  I think I may have spotted the problem.
 : >Your routing table number 10 doesn't know anything about 192.168.0.0/24
 : >does it?
 : >Make sure that each routing table has routes for the destinations it is
 : >supposed to be able to reach!
 : > : ipchains -A input -p icmp -s 192.168.0.0/24 -m 2
 : > : ip ru add fwmark 2 table 10
 : > : ip route add default via x.x.x.x dev eth2 table 10
 : > : ipchains -A forward -s 192.168.0.0/24 -j MASQ
 : > : * x.x.x.x is the default gateway!
 : Well, if I look into the rules table I see:
 : 0:      from all lookup local
 : 32765:  from all fwmark        2 lookup 10
 : 32766:  from all lookup main
 : 32767:  from all lookup 253


<I snipped much of your mail with which I agree>

 : But okay. This is not the problem.
 : It seems, ipchains DENY this packet. But why?
 : 
 : Here a ipchains -L:


 : Chain input (policy ACCEPT):
 : target     prot opt     source                destination
 : ports
 : -          icmp ------  192.168.0.0/24       anywhere              any
 : ->   any
 : DENY       all  ----l-  anywhere             anywhere              n/a
 : Chain forward (policy DENY):
 : target     prot opt     source                destination
 : ports
 : MASQ       all  ------  192.168.0.0/24       anywhere              n/a
 : Chain output (policy ACCEPT):

I was suggesting the "ipchains -A input -j DENY -l" chain to make sure 
that any packet passing through is explicitly logged and dropped instead 
of implicitly.  I'm sure you'll see lots of DENY traffic in your 
/var/log/messages when using this rule, and things definitely won't work.  
Sorry if that was at all unclear--this was intended as a diagnosing tool.

 : The deny chain, is your chain to monitor :)
 : Without it (the deny chain) it is exactly the same siduation.
 : Wth denys ipchains this incoming packet on eth2?

It doesn't look to me like the input chain is your problem, but rather 
your forward chain.  The default policy is deny.  Try changing that to 
allow specifically what you want to allow.

You could always try that very same diagnosing ipchains rule in your 
forward chain, i.e. "ipchains -A forward -j DENY -l".  Then you'll see 
that the de-masqueraded packet is denied passing through the forward 
chain.  (At least that's my guess....)

This, of course, is the beauty of using iptables--much less worrying with 
iptables rules than with ipchains rules (in general), but you are using 
kernel 2.2.19, I believe, so iptables is not an option for you.

Let us know how you fare,

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/