From: Andrew andrewd@uccsda.org
To: lartc@vger.kernel.org
Subject: [LARTC] A complicated routing scenario (for me at least)
Date: Wed, 15 Nov 2000 19:20:40 +0000 [thread overview]
Message-ID: <marc-lartc-98373938216923@msgid-missing> (raw)
In-Reply-To: <marc-lartc-98373938216914@msgid-missing>
<PRE>Hello,
I appreciate all the comments, Let's keep it up. I promise I'll post the whole
thing when I have it all figured out. My mental picture is slowly filling out.
Three specific things I've got to know though: (diagrams are just for reference)
> > LAN
><i> > | (172...)
</I>><i> > | (eth1)
</I>><i> > _/\__/\_ +---+----+ _/\__/\_
</I>><i> > / \ (63...) | | (204...) / \
</I>><i> > ( Internet )-----------+ Router +----------( Internet )
</I>><i> > \_ __ _/ (eth0) | | (eth2) \_ __ _/
</I>><i> > \/ \/ +----+---+ \/ \/
</I>><i> > (eth3)| 63..
</I>><i> > | 204..
</I>><i> > |
</I>><i> > --+---------------+----------+-- <---single physical
</I>><i> > | | net
</I>><i> > | | (i.e. one hub)
</I>><i> > | |
</I>><i> > +---+---+ 63..1 +---+---+ 63..2
</I>><i> > | Linux | 63..4 | Linux | 63..3
</I>><i> > +-------+ 204..1 +-------+ 204..2
</I>><i> > 204..4 204..3
</I>
.---------------------------------------------------------------.
|Version| IHL |Type of Service| Total Length |
|-------+-------+---------------+-------------------------------|
| Identification |Flags| Fragment Offset |
|---------------+---------------+-------------------------------|
| Time to Live | Protocol | Header Checksum |
|---------------+---------------+-------------------------------|
| Source Address |
|---------------------------------------------------------------|
| Destination Address |
`---------------------------------------------------------------'
1. If I modify the TOS field on incomming packets with IPchains, and then route
those packets to the proper internal server on my protected network, when that
server replies, what do the TOS fields in the reply packets look like? Are they
copies of the ones that came from the outside initiating the connection routed
through my router? (I hope that's the case) Or does the kernel on the replying
machine invent some new TOS value for those packets?
2. On a machine with two IP addresses on the same nic (A and B). If someone on
the internet makes a connection to IP address A. What is the source address of
reply packets in the IP header diagram above? A? (I hope that's the case too.)
3. Finally, is it necessary for the router box above to have two addresses on
the internal network. Does it matter that the default gateway that packets,
having a 204.. source address, go to might be a 63.. address? (or vice versa, as
long as all machines are connected to the same physical network) If it doesn't
then there is no need for a second IP address on the internal side of the router
(eth3 above). If it does matter, can I put in some fancy next-hop routes on the
servers based on what the source address of reply packets ends up being? (This
would essentially completely ignore the default route)
Something to remember (it may or may not matter to you): Valid packets coming in
on eth2 (204... above) will have a 204... destination address. Also Valid
packets coming in on eth0 (63... above) will have a 63... destination address.
Marking the packets as they come in is merely so that we can route them back on
the same interface they came in on. I don't want assymetric routes.
Here's some more ascii art:
local
process
| ^
eth0 \ | | / eth0
eth1 | | | | eth1
eth2 +--incomming | | outgoing--+ eth2
eth3 | packets | | packets | eth3
etc. / | | \ etc.
|<i> | | ^
</I>|<i> | | |
</I>|<i> | | |
</I>|<i> ---------------------------|-|-----------------(lo interface)<----|
</I>|<i> | | | |
</I>|<i> V V | _______ _______ |
</I>---> C --> S --> ______ --> D --> ~~~~~~~~ -->|forward|---->| |-------
h a |input | e {Routing } |Chain | |output |ACCEPT
e n |Chain | m {Decision} |_______| --->|Chain |
c i |______| a ~~~~~~~~ | | ->|_______|
k t | s | | | | |
s y | q local v | | |
u | V e process DENY/ | | v
m | DENY/ r packets REJECT | | DENY/
| V REJECT a | | | REJECT
| DENY d --------------------- |
V e -----------------------------
DENY
I've slightly modified the packet flow diagram from the ipchains howto according
to my understanding of how things work (in other words, correct me if I'm
wrong). What I want to know is what the packet looks like once it gets to the
routing decision block above from a local process. (Assume that this packet is a
response to a connection established from the internet. I alredy know how the
source address is decided upon for connections originating from a machine. This
is farely well documented on page 48 of the IP command reference, which is part
of the iproute2 distribution.) I especially want to know what the source and
destination addresses are at this point. I'm sure you all can see why. If not
let me know and I'll clarify.
Thanks again for the help and comments.
-- Andrew
<A HREF="mailto:depaan@bibleinfo.com">depaan@bibleinfo.com</A>
--------------------------------------------------------------
Want answers to life's big questions? Visit www.bibleinfo.com.
</PRE>
next prev parent reply other threads:[~2000-11-15 19:20 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2000-11-13 22:58 [LARTC] A complicated routing scenario (for me at least) Andrew
2000-11-14 14:34 ` Arthur
2000-11-14 14:44 ` Wingtung.Leung
2000-11-14 20:15 ` Andrew
2000-11-14 21:47 ` Whit
2000-11-14 23:10 ` Wingtung.Leung
2000-11-15 10:49 ` Arthur
2000-11-15 11:27 ` Arthur
2000-11-15 14:57 ` Warren
2000-11-15 19:20 ` Andrew [this message]
2000-11-15 19:30 ` Arthur
2000-11-15 20:11 ` Andrew
2000-11-17 1:07 ` Andrew
2000-11-17 12:11 ` Mike
2000-11-17 12:24 ` Mike
2000-11-17 13:00 ` Arthur
2000-11-17 21:25 ` Mike
2000-11-18 16:28 ` Warren
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-98373938216923@msgid-missing \
--to=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.