Re[2]: [LARTC] Policy routing and strange packets traversing.

From: Tomasz Wrona <lartc@eter.tym.pl>
To: lartc@vger.kernel.org
Subject: Re[2]: [LARTC] Policy routing and strange packets traversing.
Date: Sun, 02 Mar 2003 14:14:48 +0000	[thread overview]
Message-ID: <marc-lartc-104661449018562@msgid-missing> (raw)

Hi Julian,

niedziela, 2 marca 2003, you wrote:
    OK, I overlooked it

>> > > 30:     from all to 1.1.1.29 lookup 1
>> > > 30:     from all to 2.2.2.65 lookup 2
>>
>> OK, but I process main table after all manual typed rules... but never
>> mind its not issue ;)

JA>         It is not good to put table main after other rules, it can
JA> be used only to override route in table main. For example, why
JA> traffic from 1.1.1.29 to some internal IP should go to the ISP
JA> gateway (table 1)?

In fact I have additional rules for directing traffic ie. directing
LAN destined traffic to main table with HI prio.:

9:      from all to 192.168.0.0/17 lookup main

..but I didnt want to blur my problem with unrelated rules so I missed
it.
Though You could be right and maybe my setup isn't optimal so I try to
revise my config.

>> Hmmm... I  cant understand what has netfilter to do with "iif" parameter ?
>> What I want to achieve is to catch all incoming traffic on eth1..

JA>         There are some places that can use output rerouting where
JA> the iif parameter is ignored. And second, the normal kernel relies
JA> on the routing cache to keep persistence for each NAT connection to
JA> its selected nexthop. There is no guarantee that it will work for the
JA> whole connection life.

When I used it looked that it works the same fashion when I missed
"iif" parameter.
But there is other matter what You wrote below...

JA>         It does not work all the time.
>> > http://www.ssi.bg/~ja/#routes
>> >
>> > dgd-usage.txt contains example for rules and routes you can use.
>>
>> Hmm... Maybe I am wrong but It's related to NAT multiple gateways on
>> single interface not on different what I have...

JA>         Not exactly true, it is related to making sure each NAT
JA> conn is bound to its allowed path(s), no matter how many interfaces
JA> are used. Selecting different nexthop should be allowed only if
JA> it is alternative allowed from the routing rules.

>> There shouldn't be problem what I read in this article.

JA>         Then why you see traffic to the wrong gateway?

Hey ! You are absolutely right ! I reviewed all Your docs from Your
website also applied suitable patch and it works what expected now,
without spoofed ruting. Great!

It's extremally usefull documentation [dgt-usage.txt, nano.txt], it really explain routing flow.
I didnt find such a important info even in core adv. routing and iproute
documentation...

It would be fine to visualize it like ie. "iptables flow" because it's
not very obvious knowledge and a bit hard to understand.

BTW. I also used patch for 2.4.x kernel to enable "equalize"
parameter [witch parameter doesnt work at all] but this patch and "routes" patch
from Your websitee do not apply together.. only one of them
works.

Again Thank You very much :)
tw
--

mailto:lartc@eter.tym.pl
-----------
 ck.eter.tym.pl

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/