Re: [LARTC] multiple uplinks/iptables -t nat -PREROUTING funny

From: "Martin A. Brown" <mabrown-lartc@securepipe.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] multiple uplinks/iptables -t nat -PREROUTING funny
Date: Sat, 12 Apr 2003 19:08:07 +0000	[thread overview]
Message-ID: <marc-lartc-105017456810787@msgid-missing> (raw)
In-Reply-To: <marc-lartc-105004797308651@msgid-missing>

Russell,

 : I have a network much like that show in:
 :
 :   <http://www.lartc.org/howto/lartc.rpdb.multiple-links.html>
 :
 : with a few wrinkles.  This is with a ptrace patched 2.4.20 kernel.
 :
 : The wrinkles are that one interface has 14 IPs (.2 to .15) total (via
 : eth1 and aliasing), the other being a single DHCP-provided IP (eth0).

As a side note, after reading your post, Russell, I'm a touch confused why
you have so many IPs hosted on your eth1 interface.  It strikes me that
you really just want packets to arrive (inbound) on eth1.  So, you really
don't need to have all these IPs locally hosted on your box.  You can
simply proxy ARP for the IPs, and ethernet frames with IP packets bound
for e.f.g.2-15 will arrive on your eth1.  Perhaps you are doing more than
that with these 14 IP addresses, but if not, why bother hosting the IPs
locally?

Suggestion:

# for h in $( seq 2 15 ) ; do
>   arp -s e.f.g.$h -i eth1 -D eth1 pub
> done

Purely out of curiousity, I wonder if you are doing something else with
these IPs?

[ snipped iptables rules that look fine ]

 : When I connect from the outside to eee.fff.ggg.11:22, I never hear a
 : reply.  Ethereal (on the internal interface, eth2) shows replies, but
 : looking on the other external interface (eth0) it appears that the
 : replies are all shooting out of it (the default path).  Nothing ever
 : returns out the eth1 interface as it "should".  I have the ip rules
 : set up as follows:

[ thank you for the "ip route" and "ip rule" output, which has been
  snipped to save space  ]

 : When I connect to the port forwarded address from the outside, it
 : looks like the returning packets are getting routed _before_ the
 : source IP is translated (and thus aren't matching a special rule and
 : thus get routed according to the default rule).  Everything else seems
 : to be working fine.
 :
 : Has anyone seen this?  Is it a bug or am I just confused?

This is not a bug--this is a fact of packet flow through the kernel.  See
the kernel packet traveling diagram (KPTD) [1] for more details on the
sequence of operations.  So to answer your question:  you must be
confused!  :)

You should try adding just one more rule:

# ip rule add from 192.168.0.2 table T2

For a more thorough analysis of this interaction between routing and
netfilter, see my advanced routing with multiple Internet connections
chapter [2] and/or this informative post from Wes Hodges [3].

-Martin

 [1]  http://www.docum.org/stef.coene/qos/kptd/
 [2]  http://linux-ip.net/html/adv-multi-internet.html
 [3]  http://lists.netfilter.org/pipermail/netfilter/2001-May/011697.html

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/