On Monday, 24 May 2004, at 09:44:43 +0200,
Rafal Krzewski wrote:
+-+ +-+
|actaea | eth0 |ilex |
| 192.168.1.4 |-- localnet --| 192.168.1.1 |
+-+192.168.1.0/24+-+
eth1 / | ppp0
80.72.34.162 83.31.149.159
/ |
wlnettpsa
80.72.34.160/24 |
/ |
+--+ ++
| 80.72.34.161 | | 213.25.2.3 |
+--+ ++
\ /
\---, /
+--+ \
|salix |/ Internet
| 212.87.7.182 |'-, ,-
+--+
I want ilex to respond to any incoming trafic on 80.72.34.162 address
(it is running a DNS server). All outgoing trafic from localnet should
go through tpsa link (faster but non-static IP). Resposnses to the
latter should also return through tpsa link.
For the localnet traffic to exit your premises through tpsa you must
route this traffic through 213.25.2.3 as next hop with outgoing device
ppp0. You _must_ SNAT this traffic to 83.31.149.159, this way return
traffic will always come back from the Internet trhrough this same link.
after running:
ip route del default
ip route add default via 213.25.2.3
localnet traffic flows fine, BUT ilex no longer responds to pings from
salix on 80.72.34.162 address
The problem seems clear to me: your routing table at ilex will only have
entries for the directly connected networks and the default route you
have just show. So every traffic coming from a network different from
the local connected ones will get routed through the default gateway.
Maybe traffic arrives at its destination, but in its way back gets
routed along a different path (asymmetric routing) and is dropped or
lost somewhere.
4. What I did to diagnose the problem:
Tried pinging ilex from salix tracing the traffic with iptables -j LOG
(settings below). I'm able to see ping request packets, but no ping
response packets. I also tried monitoring the trafic with ethereal, both
on the virtuall 'all' interface, and also on each of the physical
interface (well, ppp0 isn't actually physical, but you get the idea) in
promiscous mode. Only ping request packets are visible.
I think tcpdump or ethereal is the way to go. Try to detect the traffic
from its source to its destination, and at each point see if packets are
as expected with respect to IP addresses. It seems traffic arrives OK at
ilex but this box doesn't reply to this traffic, whether this is ICMP or
even TCP connections (ssh).
Put a tcpdump/ethereal on the incoming interface, note down IP addresses
and ports (if applicable), and then have a look at:
http://www.docum.org/stef.coene/qos/kptd/
Try to depict the path the traffic would theoretically follow inside the
kernel paying attention both to iptables rules as well as the routing
policy database (both ip rules and ip routes). Traffic should end
up being received by the kernel, and a reply should come back. Even if
it is not the case the kernel should log something, check with dmesg.
ilex:~# ip rule show
0: from all lookup local
32764: from 213.25.2.3 lookup tpsa
32765: from 80.72.34.161 lookup wlnet
32766: from all lookup main
32767: from all lookup default
ip rules 32764 and 32765 will only apply to traffic with source IP
addresses as shown, but not to traffic coming through any of the
associated routers (except this routers also do SNAT to traffic coming
from the Internet). So packets from salix (212.87.7.182) will be routed
looking first at table local (the one that should apply to traffic
ending at ilex itself), and then loooking at table main.
The good thing about table local is that should be ok with no
administrator intervention, so the problem must be somewhere.
I apologize for not reading and checking the whole email to see if I
find the problem, but I am convinced this is a simple problem with
routing. The strange thing is traffic arriving at ilex, but this box no
replying back to the source.
Hope it helps.
--
Jose Luis Domingo Lopez
Linux Registered User #189436 Debian Linux Sid (Linux 2.6.6)
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
