Re: tables and default

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Sandro,

 :   *  1 adsl (ppp0)
 :   *  1 more tables in rt_tables (200 ping) called "bluff"

All OK!

 :   *  table 'bluff *has not* a default route

This is the problem.

 :        root@fw-eden root # ip ro li table bluff
 :        192.168.5.0/24 dev eth1  scope link
 :
 :   *  ip rule add from 192.168.5.2 table bluff prio 50
 :
 :        root@fw-eden root # ip ru li
 :        0:      from all lookup local
 :        50:     from 192.168.5.0/24 lookup bluff
 :        32766:  from all lookup main
 :        32767:  from all lookup default
 :
 : Now I would think that pinging from 192.168.5.2 outside the LAN
 : should not work and in fact:
 :
 :     root@fw-eden root # ip ro get 62.207.143.51 from 192.168.5.2
 :     RTNETLINK answers: Invalid argument
 :
 : but if I try I can flawlessly get out.

First thing--I don't know why you are seeing this error from 'ip
route get'.  This should return the real route chosen.  You could
always try the ping and then check the route cache.  This should
help you identify the actual route chosen.

Here's what's happening.

  - kernel gets packet and needs to select a route
  - according to rule 0, we look up in table local
  - perform route lookup in table local--no match!
  - according to rule 50, we look up in table bluff
  - perform route lookup in table local--no match!
  - according to rule 32767, we look up in table main
  - perform route lookup in table main-- MATCH!
  - route packet out default gateway

If you add a route to table bluff as follows, you should effectively
prevent 192.168.5.0/24 from reaching any network other than
192.168.5.0/24.

  ip route add blackhole default table bluff

Now, any packets addressed from 192.168.5.0/24 will be blackholed.
This may not be quite what you desire, particularly if packets
addressed from 192.168.5.0/24 are created by your own router, so you
could always say:

  ip rule del prio 50 from 192.168.5.0/24 table bluff
  ip rule add prio 50 from 192.168.5.0/24 iif eth1 table bluff

Then again, you don't describe your network completely, so I could
be steering you wrong here.

And by the way, unless you have some very strange (but not
inconceivable) routes on your hosts inside the 192.168.5.0/24
network, you won't need to specify the route

  192.168.5.0/24 dev eth1  scope link

in table bluff.

 : Is this related to SNAT? In my opinion that should come
 : afterwords since SNAT in in the POSTrouting chain.

Nope!  No SNAT problem here!

-Martin

--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux