Re: Route packets from an interface to another

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@lists.netfilter.org>
Subject: Re: Route packets from an interface to another
Date: Mon, 10 Sep 2007 10:23:20 -0500	[thread overview]
Message-ID: <46E56168.4010909@riverviewtech.net> (raw)
In-Reply-To: <930617.62310.qm@web33307.mail.mud.yahoo.com>

On 09/10/07 07:18, vinod K D wrote:
> My gateway has two network interfaces: eth0 & eth1.
> 
> eth0 (192.168.1.1) is connected to public network and eth1 (10.0.1.1) 
> is connected to LAN.
> 
> MyServer, which is in the LAN, has ip 10.0.1.2.

Ok, reasonable enough.

> I created a virtual interface eth0:0 (192.168.1.2) in the gateway. 
> Using ipvsadm, I can route the packets, destined for this IP address 
> and a port,  to myServer.
> 
> And in myServer, I enabled ip_forwarding and assigned 192.168.1.2 for 
> the loopback interface.  So my server application receives and serves 
> the packets properly.

I'm surprised that having the 192.168.1.2 address on the loopback 
interface is working as expected at all as the kernel will usually 
protect the loopback interface from any thing not local to the system.

> The problem is in the return path. (Remember the packets have source 
> addres 192.168.1.2). While they reach the gateway, the packets are 
> being dropped.

*nod*  You will indeed have some reverse path issues to work out.

> (I think, the reason is nothing but the address 192.168.1.2 is 
> assigned to the gateway. Hence router assumes the packets are 
> traversing though a loop.)

*nod*

> I can't use masquerading, because I need to get the source & 
> destination IPs of the packets.

Ok...

I have to ask, why does your server have a private class C address on 
its external interface?  Either you are doing something weird and your 
external is not external to the internet or you are already in a 
situation where the packets have been modified as you are trying to 
avoid.  I'm just saying / opening the door for an answer.

> Can anyone suggest a way to redirect packets from an interface to 
> another (ie, eth1 to eth0) without making any change in the packet 
> header.

Why redirect the packets at all.  Why not let the packets come in 
directly to the router?

I'd suggest that you turn your router in to a bridging router.  I.e. 
bridge traffic to / from 192.168.1.2 through eth0 and eth1 while routing 
192.168.1.1 traffic for your LAN?  This way your server would have 
192.168.1.2 bound to its NIC and be able to reply directly to the world 
with out any problem at all.  If you are worried about not having a 
firewall, you can easily do either EBTables (layer 2) or IPTables (layer 
3) on the bridged (layer 2) traffic so your system will still be protected.

Do some light reading of section 7 of the following page: 
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html#section7  I think 
this will help depict what I'm talking about.

> PS: The latest versions of netfilter doen't have inbuilt ipt_ROUTE 
> module. Else my life would be cool.

Grant. . . .

next prev parent reply	other threads:[~2007-09-10 15:23 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-09-10 12:18 Route packets from an interface to another vinod K D
2007-09-10 15:23 ` Grant Taylor [this message]
  -- strict thread matches above, loose matches on Subject: below --
2005-09-09 19:51 Jonathan
2005-09-09 21:36 ` /dev/rob0
2005-09-09 21:18   ` Jonathan
2005-09-10  4:45     ` /dev/rob0
2005-09-10  7:54       ` /dev/rob0
2005-09-12  7:56         ` Jonathan
2005-09-13  1:45           ` /dev/rob0
2005-09-12 13:36       ` Rudi Starcevic
2005-09-11 21:34         ` /dev/rob0
2005-09-12 14:47           ` Rudi Starcevic
2005-09-12 14:51           ` Rudi Starcevic
2005-09-09 19:15 Jonathan
2005-09-09 20:22 ` Edmundo Carmona
2005-09-09 19:32   ` Jonathan
     [not found]     ` <65aa6af905090913353e0d0150@mail.gmail.com>
2005-09-09 20:35       ` Edmundo Carmona
     [not found]       ` <1224.83.227.26.235.1126295454.squirrel@webmail.2lug.se>
2005-09-09 21:03         ` Edmundo Carmona

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46E56168.4010909@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=gtaylor+reply@riverviewtech.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox