Hello,
On Mon, 19 Aug 2002, Arindam Haldar wrote:
> & applied julian's patch to kernel 2.4.19 & have gone thru the docs at
> the site... i have defined basically 3 groups for clients--> cache,
> cisco, balance.. the name specifies the importance.. this is the details
> of what i did-->
Carefully analyze the docs...
> [root@Lr1 root]# ip rule ls
> 0: from all lookup local
# direct communications are first priority
ip rule add prio 5 table main
> 10: from EXTnA.124/25 lookup ONE
> 20: from EXTnB.106/26 lookup TWO
> 100: from 192.168.1.10 lookup CACHE
> 101: from 192.168.1.20 lookup CISCO
> 150: from 192.168.1.30 lookup BALANCE
> 200: from all lookup ME
> 32766: from all lookup main
> 32767: from all lookup 253
> BUT am **NOT** able to surf at all from internal network... not even
> able to ping eth2 !!!.. default INPUT & OUTPUT are set to ACCEPT while
> FORWARD is DROP..
First try with all ACCEPT.
> whats missing there ?.. after trying all day i want guidance now...
> awaiting a reply very anxiously....
Your setup is a bit strange: internal hosts use some gateways,
the external addresses use different gateways. The problem is that
if you are using NAT and for example 192.168.1.10 is SNAT-ed the
packet will leave with new saddr (the masquerade address). Looking
in your rules there is different gateway for the masquerade
address. This can't work. The current framework requires that:
- if one internal IP is masqueraded to a specific address, you
need the 2 routes to be similar, i.e.:
from INT_IP to TARGET
and
from MASQ_IP to TARGET
to use same gateway and device. This is even mandatory for the
patches. Currently, the first packet for one connection is routed
via the route "from INT_IP to TARGET", the SNAT rules assign
masquerade address at postrouting and then all next packets are
routed via the 2nd route - 1 route per forwarded packet. It is a
bit strange these two routes to use different gateways. Do you
have a good reason for this?
Also note that rules in the form "from 0/0 to ANY_TARGET"
where ANY_TARGET can be any subnet including 0/0 are used for
source address autoselection - the resulting preferred source IP
is used as saddr. It is not used only as "default" rule. So,
playing tricks with different gateways is not possible. The
setup is ambiguous if NAT is involved.
> A.H
Regards
--
Julian Anastasov <[EMAIL PROTECTED]>
_______________________________________________
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
