[LARTC] source routing does not work with extra ip addresses
richard lucassen
mailinglists at lucassen.org
Sat Apr 8 19:33:30 CEST 2006
On Sat, 8 Apr 2006 11:07:00 -0500
"Martin A. Brown" <martin-lartc at wonderfrog.net> wrote:
> : Now I put a server behind the Linux box. I want the server to be
> : reachable on an /extra/ IP in the routed subnet of ISP2.
>
> Does server have one or two IP addresses? Best solution? Use two
> IP addresses on server.
Hmmm, one for ISP1 and one for ISP2? That would be a nice idea to
workaround this problem :-)
> : When pinging 1.2.3.3, the packets get in through eth1 (ok), but the
> : replies are following the default route through eth0 (wrong)
>
> The problem is routing. Return packets from your server are handled
> in the main routing table. There isn't yet an RPDB entry directing
> traffic from 10.0.0.2 to use table_eth1. Your RPDB entry looks like
> this:
>
> : ip rule add from 1.2.3.3 lookup table_eth1
>
> Try changing this (or adding another rule):
>
> ip rule add from 10.0.0.2 lookup table_eth1
Nope. I already tried that, but no way.
> instead. Now, your server should have Internet access strictly on
> the link handled by ISP2.
No. The packets are returned through ISP1.
> If you would like to handle inbound traffic on both links, then add
> a secondary IP address to your server, and enter another DNAT rule
> which specifies another NAT mapping for the secondary IP.
That's a very nice idea, but packets keep on entering the wrong table
(default), I think it's a bug somewhere in the kernel.
It only works when the ip is direct on the external interface of the
Linuxbox, but as soon as 1 tcp port is translated, the return packets
for that translated port get into the wrong (default) table.
Even when using fw marks it doesn't work. I mark all packets coming
from the servers second ip address with '1' and a simple
ip ru a fwmark 1 table t_eth1
should do the job. But no way. Packets keep on getting out through ISP1
(t_eth0).
This is the real test:
10.0.2.1 is the server, 10.0.2.3 is its second ip.
10.0.2.1 = external 10.1.3.100
10.0.2.3 = external 192.168.201.3
# ip r s
192.168.201.3 via 10.0.2.3 dev eth2
10.1.3.100 via 10.0.2.1 dev eth2
10.0.2.0/24 dev eth2 proto kernel scope link src 10.0.2.2
192.168.201.0/24 dev eth1 proto kernel scope link src 192.168.201.2
10.1.3.0/24 dev eth0 proto kernel scope link src 10.1.3.101
default via 10.1.3.1 dev eth0
# ip ru s
0: from all lookup local
32762: from all fwmark 0x1 lookup t_eth1
32764: from 192.168.201.2 lookup t_eth1
32765: from 10.1.3.101 lookup t_eth0
32766: from all lookup main
32767: from all lookup default
# ip r s t t_eth0
10.0.2.0/24 dev eth2 scope link
10.1.3.0/24 dev eth0 scope link src 10.1.3.101
127.0.0.0/8 dev lo scope link
default via 10.1.3.1 dev eth0
# ip r s t t_eth1
10.0.2.0/24 dev eth2 scope link
192.168.201.0/24 dev eth1 scope link src 192.168.201.2
127.0.0.0/8 dev lo scope link
default via 192.168.201.1 dev eth1
Any hints are welcome...
btw: iproute2-ss06011, kernel 2.6.16.2, iptables 1.3.5
R.
--
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.
+------------------------------------------------------------------+
| Richard Lucassen, Utrecht |
| Public key and email address: |
| http://www.lucassen.org/mail-pubkey.html |
+------------------------------------------------------------------+
--
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.
+------------------------------------------------------------------+
| Richard Lucassen, Utrecht |
| Public key and email address: |
| http://www.lucassen.org/mail-pubkey.html |
+------------------------------------------------------------------+
More information about the LARTC
mailing list