ICMP traffic + iproute + tunnel problems

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Bart Matthaei <bart@dreamflow.nl>
To: netfilter@lists.netfilter.org
Subject: ICMP traffic + iproute + tunnel problems
Date: Wed, 19 May 2004 23:05:13 +0200	[thread overview]
Message-ID: <20040519210513.GF1003@dreamflow.nl> (raw)

Hi All,

I have the following problem:

I have a tunnel between my home router and my colocated machine.
I use source routing (iproute) to route all traffic coming from my home
network (public ipspace) over the tunnel.

Everything works fine. But when a user traceroutes a host in my home
network, or sends traffic to an unreachable host, all ICMP replies are
coming from the ip address of my cable connection (eth0), which is still
the default route on the home router itself.

I don't want to change the default route to my tunnel for various reasons I
don't want to explain here.

217.170.2.120/29 is my home network.

217.170.2.119 is my local tunnel endpoint.
217.170.2.118 is my remote tunnel endpoint.

I've tried the following:

# this catches all traffic traveling out from eth0 which was originated
# from the tunnel.
iptables -A OUTPUT -t mangle -m conntrack --ctorigdst 217.170.2.120/29 -o eth0 -j MARK --set-mark 1

# This sends all the marked packets to routing table 2. I've also added
# 'nat 217.170.2.119', but it doesn't fix things.
ip ru add fwmark 1 table 2

# This sends the traffic through the tunnel
ip ro add default via 217.170.2.118 dev tunnel src 217.170.2.119 table 2

Ok, all of this works. Except for one thing; the source isn't altered.

So the packets are sent through the tunnel, but the source address is still
the eth0 ip, which can't be routed through the tunnel.

The only logical alternative is SNAT on the OUTPUT chain, which isn't
possible with netfilter at this point.

Is there another way to do this?

Regards,

Bart Matthaei

-- 
Bart Matthaei                    bart@dreamflow.nl 

Sometimes a cigar is just a cigar.
                -- Sigmund Freud

next             reply	other threads:[~2004-05-19 21:05 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-05-19 21:05 Bart Matthaei [this message]
  -- strict thread matches above, loose matches on Subject: below --
2004-05-19 21:11 ICMP traffic + iproute + tunnel problems Bart Matthaei
2004-05-19 21:33 ` Antony Stone
2004-05-19 22:03   ` Bart Matthaei

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040519210513.GF1003@dreamflow.nl \
    --to=bart@dreamflow.nl \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox