iproute2, portfw oddities (2.2.19 ppp)

iproute2, portfw oddities (2.2.19 ppp)

[Valentijn Sessink]

Hello list,

I have a machine (Pentium, 2.2.19, Debian 2.2) with an internal network
(192.168.0.x) and 4 external ppp connections (actually: pptp connections
to the ISP).

The ppp's all could have a "default route" to the Internet, only the ISP
filters source addresses, so you cannot possibly send a ppp0 IP-address
through ppp1 or vice versa.

Now policy routing seemed the correct solution for this and I tried this
for ppp1:

# ip ru list
0:      from all lookup local 
1001:   from 194.10.21.181 lookup ppp1 
32766:  from all lookup main 
32767:  from all lookup default 
# ip route list table ppp1
default dev ppp1  scope link 

This works, as I can ping the ppp1 address from the outside. (which
could not be done before).

Unfortunately, when I try to put a portfw rule on top of this, things go
wrong:

# ipmasqadm portfw -a -P tcp -L 194.10.21.181 80 -R 192.168.0.133 80

Strangely, this results in packets from 192.168.0.133 being renamed
194.10.21.181 *but being directed via ppp0*: tcpdump ppp0 sees packets
coming from IP address 194.10.21.181.

Unfortunately, the ISP does not like this and drops those. However,
after issueing

ip rule add from 192.168.0.133 table ppp1

... the thing works.

This seems a bit odd. Could anyone comment on this? Please cc: my
E-mail-address, as I'm not subscribed to linux-kernel (and yes, the
"nospam" stuff works, I read it, it just seems to scare spambots :)

Best regards,

Valentijn
--

Re: iproute2, portfw oddities (2.2.19 ppp)

[Christopher Friesen]

Valentijn Sessink wrote:

> The ppp's all could have a "default route" to the Internet, only the ISP
> filters source addresses, so you cannot possibly send a ppp0 IP-address
> through ppp1 or vice versa.
> 
> Now policy routing seemed the correct solution for this and I tried this
> for ppp1:
> 
> # ip ru list
> 0:      from all lookup local
> 1001:   from 194.10.21.181 lookup ppp1
> 32766:  from all lookup main
> 32767:  from all lookup default
> # ip route list table ppp1
> default dev ppp1  scope link
> 
> This works, as I can ping the ppp1 address from the outside. (which
> could not be done before).
> 
> Unfortunately, when I try to put a portfw rule on top of this, things go
> wrong:
> 
> # ipmasqadm portfw -a -P tcp -L 194.10.21.181 80 -R 192.168.0.133 80
> 
> Strangely, this results in packets from 192.168.0.133 being renamed
> 194.10.21.181 *but being directed via ppp0*: tcpdump ppp0 sees packets
> coming from IP address 194.10.21.181.



I'm guessing that the IP address mangling is happening after deciding which
device to send the packet out of.

However, I'm not an expert on routing, so lets see what the real gurus say.

-- 
Chris Friesen                    | MailStop: 043/33/F10  
Nortel Networks                  | work: (613) 765-0557
3500 Carling Avenue              | fax:  (613) 765-2986
Nepean, ON K2H 8E9 Canada        | email: cfriesen@nortelnetworks.com

Re: iproute2, portfw oddities (2.2.19 ppp)

[Matthew G. Marsh]

On Fri, 31 Aug 2001, Valentijn Sessink wrote:

> Hello list,
>
> I have a machine (Pentium, 2.2.19, Debian 2.2) with an internal network
> (192.168.0.x) and 4 external ppp connections (actually: pptp connections
> to the ISP).
>
> The ppp's all could have a "default route" to the Internet, only the ISP
> filters source addresses, so you cannot possibly send a ppp0 IP-address
> through ppp1 or vice versa.
>
> Now policy routing seemed the correct solution for this and I tried this
> for ppp1:
>
> # ip ru list
> 0:      from all lookup local
> 1001:   from 194.10.21.181 lookup ppp1
> 32766:  from all lookup main
> 32767:  from all lookup default
> # ip route list table ppp1
> default dev ppp1  scope link
>
> This works, as I can ping the ppp1 address from the outside. (which
> could not be done before).
>
> Unfortunately, when I try to put a portfw rule on top of this, things go
> wrong:
>
> # ipmasqadm portfw -a -P tcp -L 194.10.21.181 80 -R 192.168.0.133 80
>
> Strangely, this results in packets from 192.168.0.133 being renamed
> 194.10.21.181 *but being directed via ppp0*: tcpdump ppp0 sees packets
> coming from IP address 194.10.21.181.
>
> Unfortunately, the ISP does not like this and drops those. However,
> after issueing
>
> ip rule add from 192.168.0.133 table ppp1

Yes.

> ... the thing works.
>
> This seems a bit odd. Could anyone comment on this? Please cc: my
> E-mail-address, as I'm not subscribed to linux-kernel (and yes, the
> "nospam" stuff works, I read it, it just seems to scare spambots :)

Nothing odd about it. When a packet comes in the box the RPDB (rules,
routes, addresses) is consulted _before_ the ipchains MASQ. So your packet
was sent out ppp0 which I suspect is the default route for the box in
table main.

> Best regards,
>
> Valentijn
> --
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

--------------------------------------------------
Matthew G. Marsh,  President
Paktronix Systems LLC
1506 North 59th Street
Omaha  NE  68104
Phone: (402) 932-7250 x101
Email: mgm@paktronix.com
WWW:  http://www.paktronix.com
--------------------------------------------------