From mboxrd@z Thu Jan  1 00:00:00 1970
From: Lars =?ISO-8859-1?Q?T=E4uber?= <taeuber@bbaw.de>
Date: Mon, 02 Jun 2003 15:29:35 +0000
Subject: [LARTC] iproute 2 - src routing
Message-Id: <marc-lartc-105456793304979@msgid-missing>
List-Id: <lartc.vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
To: lartc@vger.kernel.org

Hi everybody,

i'm responsible for an isdn router, which doesn't work as i want and=20
expected. Hopefully at least one of you can help us.

We have a private network (192.168.0.0/16) and a standard geteway with a=20
dafault route to the internet-gateway (a nat-ing firewall).

|private net|-----|standard gateway|
                      |        |
                      |    |nating firewall|-----|internet
                      |
                  |locale services|

Now we want a special network get routed through an additional isdn=20
router for a special subdomain of ours. the foreign network is also=20
aviable over the intenet but has restrictions on some services form the=20
internet


|private net|-----|standard gateway|
                      |        |
                      |   |isdn router|---(isdn)--|foreign dialin|--[--
                      |        |                                    [--
                      |    |nating firewall|-----|internet|---------[--
                      |
                  |locale services|

so the isdn route should decide by the source address (a privileged=20
subdomain) which route the traffic goes and nat it if it goes through isdn

the nating is made with iptables
i did the following:

rt_tables :

255     local
254     main
253     default
0       unspec
1       xyz

$ ip route add default via [dialin gw] dev ippp0 table xyz
# ip rule add from [privileged ip-addr] to [target subnet] table xyz
$ ip route flush cache
$ echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route

the default route is routed to the standard nating firewall, so the=20
normal traffic should go it's normal old way.
i can ping a host in the target subnet and also traceroute form the=20
privileged host, but i don't get any connection to a web server.

there also is a strange behaviour (on the isdn gw):

$ ip route get [webserver in target net]
[webserver in target net] dev ippp0  src [ippp0 ip]
     cache  mtu 1500 advmss 1460
$ ip route get [webserver in target net] from [privileged ip] iif eth0
[webserver in target net] from [privileged ip] dev ippp0 src [eth0 ip]
     cache  mtu 1500 advmss 1460 iif eth0


is this correct?

why does the icmp traffic goes the right way and the other doesn't?

thanks alot




Regards
Lars T=E4uber

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/