* [LARTC] A little problem with Split access?
@ 2002-10-21 15:30 Sean Oh
2002-10-28 6:00 ` Martin A. Brown
0 siblings, 1 reply; 2+ messages in thread
From: Sean Oh @ 2002-10-21 15:30 UTC (permalink / raw)
To: lartc
SGkNCg0KSSBhbSBoYXZpbmcgYSBsaXR0bGUgcHJvYmxlbSB3aXRoIElQIE1BU1EgYW5kIElQUk9V
VEUyLg0KSSBhbSB1c2luZyBSZWRIYXQgOC4wIHdpdGggSVBUQUJMRVMuDQoNCkkgaGF2ZSBhIGxp
bnV4IGdhdGV3YXkgc2VydmVyIHdpdGggMyBOSUNzLg0KDQpJIHNldCB1cCB0aGUgbGludXggc2Vy
dmVyIGFzIHRoZSBiZWxvdy4gQXMgdGhlIHJlc3VsdCwgaXQgd29ya3MgZmluZSggMTkyLjE2OC4w
LnggY2FuIGFjY2VzcyB0aGUgaW50ZXJuZXQgYnkgbWFzcXVlcmFkaW5nIHZpYSBldGgyDQphbmQg
ZXh0ZXJuYWwgaW50ZXJuZXQgY2FuIGFjY2VzcyB0aGUgZXRoMSBhbmQgZXRoMikuDQpCdXQgdGhl
IHByb2JsZW0gaXMgdGhhdCB0aGUgaG9zdHMgaW4gdGhlIGxvY2FsIG5ldHdvcmsgKDE5Mi4xNjgu
MC54KSBjYW4gbm90DQphY2Nlc3MgdGhlIGlwIGFkZHJlc3NlcyBvZiAyMTEueC54LjE1NShldGgy
KSBhbmQgMjE4LngueC4yMChldGgxKSwgZXZlbiB0aG91Z2ggaXAgZm9yd2FyZGluZyBpcw0KdHVy
bmVkIG9uLiBJdCBjYW4gb25seSBwaW5nIGFuZCBhY2Nlc3MgdmlhIDE5Mi4xNjguMC4xKElQIG9m
IGV0aDApDQoNCkNvdWxkIHNvbWVvbmUgcGxlYXNlIHN1Z2d1ZXN0ZWQgbWUgdGhlIHNvbHV0aW9u
cz8NCg0KVGhhbmtzIGluIGFkdmFuY2UuDQoNCg0KTXkgZW52aXJvbm1lbnQgYW5zIHNldHRpbmdz
Og0KDQpMb2NhbCBOZXR3b3JrICAgICAgKy0tLS0tLS0tLS0tLSsgZXRoMSgyMTgueC54LjIwKSAt
LT4gSVNQMQ0KKDE5Mi4xNjguMC54KSAtLS0gfCBMaW51eCBTZXJ2ZXIgfC0tLS0tLS0tDQogICAg
ICAgICAgICAgICAgZXRoMCAgIHwgICAgICAgICAgICAgICAgICAgfA0KICAgICAgMTkyLjE2OC4w
LjEgIHwgICAgICAgICAgICAgICAgICAgIHwtLS0tLS0tLQ0KICAgICAgICAgICAgICAgICAgICAg
ICAgICstLS0tLS0tLS0tLS0tKyBldGgyKDIxMS54LnguMTU1KSAtLT5JU1AyDQoNClRoZSBldGgx
IGFuZCBldGgyIGFyZSB0aGUgbGlua3MgdG8gaW50ZXJuZXQuIEkgIGhhdmUgMiBwcm92aWRlcnMg
dG8gSW50ZXJuZXQNCmFuZCBJIHdvdWxkIGxpa2UgdG8gdXNlIGV0aDIgYXMgdGhlIGRlZmF1bHQg
cm91dGUgdG8gaW50ZXJuZXQgZnJvbSBMb2NhbA0KTmV0d29yaygxOTIuMTY4LjAueCkgYW5kIGV0
aDEgYXMgZm9yIHRoZSBzZXJ2ZXJzKEROUywgbWFpbCwgd2ViKSB0aGF0IHBlb3BsZQ0KZnJvbSBl
eHRlcm5hbCBJbnRlcm5ldA0KdG8gYWNjZXNzLiBUaGUgcmVhc29uIGJlaGluZCB0aGF0IGlzIHRo
YXQgcHJvdmlkZXIgSVNQMiBhcmUgbm90DQphbGxvd2luZyBtZSB0byBydW4gc2VydmVycyBvbiB0
aGF0IGxpbmssIHNvIEkgaGFkIHRvIHNldHVwIGFub3RoZXIgbGluayBmb3INCnNlcnZlcnMoZXRo
MSkuDQoNClRoZSBJUCBtYXNxdXJhZGluZyBpcyB1c2VkIGFuZCBpcCBmb3J3YXJkaW5nIGlzIHR1
cm5lZCBvbi4NCi0tLS0NCiMhL2Jpbi9zaA0KDQplY2hvIDEgPiAvcHJvYy9zeXMvbmV0L2lwdjQv
aXBfZm9yd2FyZA0KDQovc2Jpbi9pcCByb3V0ZSBhZGQgMjExLngueC4xMjggZGV2IGV0aDIgc3Jj
IDIxMS54LnguMTU1IHRhYmxlIFNJDQovc2Jpbi9pcCByb3V0ZSBhZGQgZGVmYXVsdCB2aWEgMjEx
LngueC4xMjkgdGFibGUgU0kNCi9zYmluL2lwIHJvdXRlIGFkZCAyMTgueC54LjAgZGV2IGV0aDEg
c3JjIDIxOC54LnguMjAgdGFibGUgS1QNCi9zYmluL2lwIHJvdXRlIGFkZCBkZWZhdWx0IHZpYSAy
MTgueC54LjEgdGFibGUgS1QNCg0KL3NiaW4vaXAgcm91dGUgYWRkIDIxMS54LnguMTI4IGRldiBl
dGgyIHNyYyAyMTEueC54LjE1NQ0KL3NiaW4vaXAgcm91dGUgYWRkIDIxOC54LnguMCBkZXYgZXRo
MSBzcmMgMjE4LngueC4yMA0KDQovc2Jpbi9pcCByb3V0ZSBhZGQgZGVmYXVsdCB2aWEgMjExLngu
eC4xMjkNCg0KL3NiaW4vaXAgcnVsZSBhZGQgZnJvbSAyMTEueC54LjE1NSB0YWJsZSBTSQ0KL3Ni
aW4vaXAgcnVsZSBhZGQgZnJvbSAyMTgueC54LjIwIHRhYmxlIEtUDQoNCi9zYmluL2lwdGFibGVz
IC10IG5hdCAtQSBQT1NUUk9VVElORyAtcyAxOTIuMTY4LjAuMC8yNCAtaiBNQVNRVUVSQURFDQov
c2Jpbi9pcHRhYmxlcyAtUCBGT1JXQVJEIEFDQ0VQVA0KL3NiaW4vaXB0YWJsZXMgLVAgSU5QVVQg
QUNDRVBUDQovc2Jpbi9pcHRhYmxlcyAtUCBPVVRQVVQgQUNDRVBUDQotLS0tLS0tLS0tLS0tLS0N
CnRoaXMgc2NyaXB0IGlzIHJ1biBpbiB0aGUgcmMubG9jYWwgaWYgdGhlIGlmdXAgc2NyaXB0cyBh
cmUgZXhlY3V0ZWQuDQoNCltyb290QHd3dyByb290XSMgaXAgcm91dGUgc2hvdw0KMjExLngueC4x
MjggZGV2IGV0aDIgIHNjb3BlIGxpbmsgIHNyYyAyMTEueC54LjE1NQ0KMjE4LngueC4wIGRldiBl
dGgxICBzY29wZSBsaW5rICBzcmMgMjE4LngueC4yMA0KMjExLngueC4xMjgvMjUgZGV2IGV0aDIg
IHNjb3BlIGxpbmsNCjE5Mi4xNjguMC4wLzI0IGRldiBldGgwICBzY29wZSBsaW5rDQoyMTgueC54
LjAvMjQgZGV2IGV0aDEgIHNjb3BlIGxpbmsNCjEyNy4wLjAuMC84IGRldiBsbyAgc2NvcGUgbGlu
aw0KZGVmYXVsdCB2aWEgMjExLngueC4xMjkgZGV2IGV0aDINCg0KW3Jvb3RAd3d3IHJvb3RdIyBp
cCByb3V0ZSBzaG93IHRhYmxlIFNJDQoyMTEueC54LjEyOCBkZXYgZXRoMiAgc2NvcGUgbGluayAg
c3JjIDIxMS54LnguMTU1DQpkZWZhdWx0IHZpYSAyMTEueC54LjEyOSBkZXYgZXRoMg0KW3Jvb3RA
d3d3IHJvb3RdIyBpcCByb3V0ZSBzaG93IHRhYmxlIEtUDQoyMTgueC54LjAgZGV2IGV0aDEgIHNj
b3BlIGxpbmsgIHNyYyAyMTgueC54LjIwDQpkZWZhdWx0IHZpYSAyMTgueC54LjEgZGV2IGV0aDEN
Cg0K
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [LARTC] A little problem with Split access?
2002-10-21 15:30 [LARTC] A little problem with Split access? Sean Oh
@ 2002-10-28 6:00 ` Martin A. Brown
0 siblings, 0 replies; 2+ messages in thread
From: Martin A. Brown @ 2002-10-28 6:00 UTC (permalink / raw)
To: lartc
Sean,
: But the problem is that the hosts in the local network (192.168.0.x)
: can not access the ip addresses of 211.x.x.155(eth2) and
: 218.x.x.20(eth1), even though ip forwarding is turned on. It can only
: ping and access via 192.168.0.1(IP of eth0)
There are a few things you can/should do to try to determine what's
happening to your packets. I think you have been bitten by the multiple
routing tables gotcha! For the record, your iptables and most of
your ip route commands are just fine. Let's take a closer look at your
routing tables, though.
All is well in the main routing table:
: [root@www root]# ip route show
: 211.x.x.128 dev eth2 scope link src 211.x.x.155
: 218.x.x.0 dev eth1 scope link src 218.x.x.20
: 211.x.x.128/25 dev eth2 scope link
: 192.168.0.0/24 dev eth0 scope link
: 218.x.x.0/24 dev eth1 scope link
: 127.0.0.0/8 dev lo scope link
: default via 211.x.x.129 dev eth2
But here, your ancillary routing tables only know of destinations on the
greater Internet. Each of these routing tables needs to know that
192.168.0.0/24 is reachable via eth0. Neither table has been populated
this way.
: [root@www root]# ip route show table SI
: 211.x.x.128 dev eth2 scope link src 211.x.x.155
: default via 211.x.x.129 dev eth2
:
: [root@www root]# ip route show table KT
: 218.x.x.0 dev eth1 scope link src 218.x.x.20
: default via 218.x.x.1 dev eth1
That wouldn't be the end of the world except that you add these rules:
: /sbin/ip rule add from 211.x.x.155 table SI
: /sbin/ip rule add from 218.x.x.20 table KT
So, you can either add routes for 192.168.0.0/24 to tables SI and KT or
you can add another rule to handle all traffic bound for 192.168.0.0/24
here's the ip rule solution, which will need to be the last rule added to
your RPDB:
# ip rule add to 192.168.0.0/24 lookup main
here's a simple script to run when creating ancillary routing tables
- after creating the routing table in main
- before adding the default route to the new table
Here's a bash snippet which will copy the main routing table to table
SI for you:
# ip route show table main | grep -Ev ^default \
> | while read ROUTE ; do
> ip route add table SI $ROUTE
> done
Good luck,
-Martin
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2002-10-28 6:00 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-10-21 15:30 [LARTC] A little problem with Split access? Sean Oh
2002-10-28 6:00 ` Martin A. Brown
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.