Re: policy routing
Cenk Hasirlioglu [EMAIL PROTECTED] writes: Packets are sending by dialup terminals (at the and of the FIGURE below). Cisco routers on the way have their own different default gateways but next-hop policies sends packets to linux. Also linux sends packets to 7206 (212.174.112.18, top of the FIGURE) by iproute settings. 7206 can distribute local packets but it cannot send other packets to Internet. Are you sure that the configuration of the 7206 would let it forward packets from the other network? Perhaps it only knows about it's attached network (212.174.112/?) and it is refusing to let out packets whose source address is from the 212.174.232.0/24 network? Your situation sounds a little more complicated than mine. I have a single firewall with a private IP DMZ. Real IPs from each of the attached networks are assigned to the firewall, ports are forwarded as needed and the ip rules dictate that traffic from a given internal server be masqueraded as a specific IP and routed out a specific gateway. In all cases the default route is a single hop. -- fraser campbell [EMAIL PROTECTED] starnix inc. tollfree: (905) 771-0017thornhill, ontario, canada http://www.starnix.com/ professional linux services products
Re: policy routing
Hi again, It works thanks a lot but, next hop did not make any sense to sending packets. I cannot get traceroute response from that cisco router when I trace to a foreign IP. Traces starts to print asterisk after that next-hop. Packets are sending by dialup terminals (at the and of the FIGURE below). Cisco routers on the way have their own different "default gateway"s but "next-hop" policies sends packets to linux. Also linux sends packets to 7206 (212.174.112.18, top of the FIGURE) by iproute settings. 7206 can distribute local packets but it cannot send other packets to Internet. - LINUX SETTINGS -- test:~# test:~# uname -a Linux test 2.2.18 #1 Wed Feb 14 18:21:06 EET 2001 i686 unknown test:~# test:~# ifconfig loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:2288626 errors:0 dropped:0 overruns:0 frame:0 TX packets:2288626 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 eth0 Link encap:Ethernet HWaddr 00:A0:24:EA:16:EF inet addr:212.133.146.194 Bcast:212.133.146.195 Mask:255.255.255.252 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:699895 errors:0 dropped:0 overruns:0 frame:0 TX packets:629786 errors:0 dropped:0 overruns:0 carrier:0 collisions:441 txqueuelen:100 Interrupt:4 Base address:0xd800 eth1 Link encap:Ethernet HWaddr 00:60:08:6A:3B:D1 inet addr:212.174.112.31 Bcast:212.174.112.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5954490 errors:0 dropped:0 overruns:0 frame:0 TX packets:5848790 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:7 Base address:0xd000 test:~# test:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 212.133.128.28 212.174.112.18 255.255.255.255 UGH 1 00 eth1 212.133.146.192 0.0.0.0 255.255.255.252 U 0 00 eth0 212.174.232.0 212.133.146.193 255.255.255.0 UG0 00 eth0 212.174.112.0 0.0.0.0 255.255.255.0 U 0 00 eth1 0.0.0.0 212.133.146.193 0.0.0.0 UG0 00 eth0 test:~# test:~# test:~# test:~# ip route add default via 212.174.112.18 proto static table 5 test:~# ip rule add from 212.174.232.0/24 to 0/0 lookup 5 priority 999 test:~# ip route flush cache test:~# test:~# SIMPLE SCHEME OF NETWORK FIGURE : Internet ^ | | --- | | | | | Cisco7206 | | | |212.174.112.18 | --- | | eth | | === # 212.174.112.31# # # # DEBIAN 2.2 # # # #212.133.146.194# === | | eth | | --- |212.133.146.193| | | | Cisco7600 |--- Internet | | |serial | --- | | Leased Line | | --- |serial | | | | Cisco2600 |--- Internet | | |213.186.131.94 | --- | | eth | | --- | 213.186.131.89| | | | Cisco2511 | | | | Async connections. | --- | | | | | | | | | | | | | | | | | | | | | | | | dial-up pool (212.174.232.0/24) TRACEROUTE TESTS FROM DIALUP TERMINALS - C:\WINDOWStracert -d 212.174.112.13 Tracing route to 212.174.112.13 over a maximum of 30 hops 1 244 ms 240 ms 238 ms 213.186.131.89 2 224 ms 234 ms 242 ms 213.186.131.94 3 250 ms 238 ms 244 ms 212.133.146.85 4 254 ms 268 ms 268 ms 212.133.146.242 5 254 ms 260 ms 253 ms 212.133.146.194 6 255 ms 238 ms 275 ms 212.174.112.18 7 385 ms 358 ms 331 ms 212.174.112.13 Trace complete. C:\WINDOWS C:\WINDOWStracert -d 12.1.1.1 Tracing route to 12.1.1.1 over a maximum of 30 hops 1 237 ms 226 ms 238 ms 213.186.131.89 2 226 ms 237 ms 238 ms 213.186.131.94 3 255 ms 239 ms 238 ms 212.133.146.85 4 245 ms 242 ms 241 ms 212.133.146.242 5 252 ms 291 ms 248 ms 212.133.146.194 6 257 ms 240 ms 263 ms 212.174.112.18 7 *** Request timed
Re: policy routing
Hi again, It works thanks a lot but, next hop did not make any sense to sending packets. I cannot get traceroute response from that cisco router when I trace to a foreign IP. Traces starts to print asterisk after that next-hop. Packets are sending by dialup terminals (at the and of the FIGURE below). Cisco routers on the way have their own different default gateways but next-hop policies sends packets to linux. Also linux sends packets to 7206 (212.174.112.18, top of the FIGURE) by iproute settings. 7206 can distribute local packets but it cannot send other packets to Internet. - LINUX SETTINGS -- test:~# test:~# uname -a Linux test 2.2.18 #1 Wed Feb 14 18:21:06 EET 2001 i686 unknown test:~# test:~# ifconfig loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:2288626 errors:0 dropped:0 overruns:0 frame:0 TX packets:2288626 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 eth0 Link encap:Ethernet HWaddr 00:A0:24:EA:16:EF inet addr:212.133.146.194 Bcast:212.133.146.195 Mask:255.255.255.252 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:699895 errors:0 dropped:0 overruns:0 frame:0 TX packets:629786 errors:0 dropped:0 overruns:0 carrier:0 collisions:441 txqueuelen:100 Interrupt:4 Base address:0xd800 eth1 Link encap:Ethernet HWaddr 00:60:08:6A:3B:D1 inet addr:212.174.112.31 Bcast:212.174.112.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5954490 errors:0 dropped:0 overruns:0 frame:0 TX packets:5848790 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:7 Base address:0xd000 test:~# test:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 212.133.128.28 212.174.112.18 255.255.255.255 UGH 1 00 eth1 212.133.146.192 0.0.0.0 255.255.255.252 U 0 00 eth0 212.174.232.0 212.133.146.193 255.255.255.0 UG0 00 eth0 212.174.112.0 0.0.0.0 255.255.255.0 U 0 00 eth1 0.0.0.0 212.133.146.193 0.0.0.0 UG0 00 eth0 test:~# test:~# test:~# test:~# ip route add default via 212.174.112.18 proto static table 5 test:~# ip rule add from 212.174.232.0/24 to 0/0 lookup 5 priority 999 test:~# ip route flush cache test:~# test:~# SIMPLE SCHEME OF NETWORK FIGURE : Internet ^ | | --- | | | | | Cisco7206 | | | |212.174.112.18 | --- | | eth | | === # 212.174.112.31# # # # DEBIAN 2.2 # # # #212.133.146.194# === | | eth | | --- |212.133.146.193| | | | Cisco7600 |--- Internet | | |serial | --- | | Leased Line | | --- |serial | | | | Cisco2600 |--- Internet | | |213.186.131.94 | --- | | eth | | --- | 213.186.131.89| | | | Cisco2511 | | | | Async connections. | --- | | | | | | | | | | | | | | | | | | | | | | | | dial-up pool (212.174.232.0/24) TRACEROUTE TESTS FROM DIALUP TERMINALS - C:\WINDOWStracert -d 212.174.112.13 Tracing route to 212.174.112.13 over a maximum of 30 hops 1 244 ms 240 ms 238 ms 213.186.131.89 2 224 ms 234 ms 242 ms 213.186.131.94 3 250 ms 238 ms 244 ms 212.133.146.85 4 254 ms 268 ms 268 ms 212.133.146.242 5 254 ms 260 ms 253 ms 212.133.146.194 6 255 ms 238 ms 275 ms 212.174.112.18 7 385 ms 358 ms 331 ms 212.174.112.13 Trace complete. C:\WINDOWS C:\WINDOWStracert -d 12.1.1.1 Tracing route to 12.1.1.1 over a maximum of 30 hops 1 237 ms 226 ms 238 ms 213.186.131.89 2 226 ms 237 ms 238 ms 213.186.131.94 3 255 ms 239 ms 238 ms 212.133.146.85 4 245 ms 242 ms 241 ms 212.133.146.242 5 252 ms 291 ms 248 ms 212.133.146.194 6 257 ms 240 ms 263 ms 212.174.112.18 7 *** Request timed out.
Re: policy routing
Cenk Hasirlioglu [EMAIL PROTECTED] writes: There is third network behind another router and we want to route packets coming from this network to a different next-hop, not to default gateway. How can i do that policy routing with iproute or ipchains (kernel 2.2.x) These two statements should be enough to get packets from the internal network using the other gateway (I call it 172.16.1.1): ip route add default via 172.16.1.1 proto static table 5 ip rule add from 192.168.0.0/24 to 0/0 lookup 5 priority 999 After this issue an "ip route flush cache" ... Note, before the default route statement you may have to throw some routes to your other local networks if you still with wish to talk to them properly. Something like "ip route add throw 10.0.1.0/24 table 5". There is an excellent iproute2 document that explains all these things but iirc it is a little short on details covering your particular scenario. Good luck, -- fraser campbell [EMAIL PROTECTED] starnix inc. tollfree: (905) 771-0017thornhill, ontario, canada http://www.starnix.com/ professional linux services products -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: policy routing
Cenk Hasirlioglu [EMAIL PROTECTED] writes: There is third network behind another router and we want to route packets coming from this network to a different next-hop, not to default gateway. How can i do that policy routing with iproute or ipchains (kernel 2.2.x) These two statements should be enough to get packets from the internal network using the other gateway (I call it 172.16.1.1): ip route add default via 172.16.1.1 proto static table 5 ip rule add from 192.168.0.0/24 to 0/0 lookup 5 priority 999 After this issue an ip route flush cache ... Note, before the default route statement you may have to throw some routes to your other local networks if you still with wish to talk to them properly. Something like ip route add throw 10.0.1.0/24 table 5. There is an excellent iproute2 document that explains all these things but iirc it is a little short on details covering your particular scenario. Good luck, -- fraser campbell [EMAIL PROTECTED] starnix inc. tollfree: (905) 771-0017thornhill, ontario, canada http://www.starnix.com/ professional linux services products
