Hello anyone
I've been using ipchains for quite a while and only now did i encounter this
sort of problem:
A brief description of the setup:
Cisco router:
serial0 connected to ISP0
serial1 connected to ISP1
ethernet0 has 2 aliases -
10.1.10.1 in the subnet for ISP0
10.1.11.1 in the subnet for ISP1
policy routing set so any packet coming from within the subnet
of ISP0 goes out via serial0; .
policy routing set so any packet coming from within the subnet
of ISP1 goes out via serial1 .
Linux MASQ gateway
RedHat 5.2, kernel 2.2 update packages installed
kernel 2.2.12 [with firewall, advanced router options enabled]
ipchains 1.3.9, iproute2-2.2.4
eth0 - 10.1.10.2/24
eth0:1 - 10.1.11.2/24
routing table as follows: [make all traffic go out via ISP1]
ip route add default via 10.1.11.1 src 10.1.11.2
ipchains rules:
ipchains -A input -j ACCEPT
ipchains -A forward -s 10.1.10.0/24 -d 0/0 -j MASQ
ipchains -A output -j ACCEPT
As seen in this very simple example, all packets coming from the subnet of
ISP0 passing through this host will get masq'ed and the source IP should be
translated to the IP of the interface the packet will go out of (in this case
eth0:1, 10.1.11.2). The cisco router will know this and will send the packet
out via serial1.
Generally, there would be no problems with this setup. I've some linux 2.0.38
boxes with IPs on the subnet of ISP0 running as "clients" of this masq box, and
their IPs get translated correctly, and go out via ISP1.
Until i used linux 2.2.12 based box. The IP of a box running kernel 2.2 goes
through UNTRANSLATED! if i have another box "outside" this network, and i
telnet to it, the other box logs the connection as coming from the original
address, not the address of the masq gateway. This only happens with kernel
2.2 boxes, and i really wonder how it was able to bypass the masq procedure at
the gateway.
Im sure that packets go through the gateway because traceroutes and a ping -R
records the route as passing through the masq gateway, but without any
translation.
Has anyone encountered this? It has been driving me crazy for the past 6 hours.
My solution was not to use the masq gateway at all but give the linux-2.2.12
box its own IP in ISP1's subnet. This isn't a good solution because (1) ISP1
did not give me enough IPs to play around with, and ISP1 is faster than ISP0,
so traffic should go out via ISP1.
Any insights would be very much appreciated !! !
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
