Hello Sandro, : * 1 adsl (ppp0) : * 1 more tables in rt_tables (200 ping) called "bluff" All OK! : * table 'bluff *has not* a default route This is the problem. : root@fw-eden root # ip ro li table bluff : 192.168.5.0/24 dev eth1 scope link : : * ip rule add from 192.168.5.2 table bluff prio 50 : : root@fw-eden root # ip ru li : 0: from all lookup local : 50: from 192.168.5.0/24 lookup bluff : 32766: from all lookup main : 32767: from all lookup default : : Now I would think that pinging from 192.168.5.2 outside the LAN : should not work and in fact: : : root@fw-eden root # ip ro get 62.207.143.51 from 192.168.5.2 : RTNETLINK answers: Invalid argument : : but if I try I can flawlessly get out. First thing--I don't know why you are seeing this error from 'ip route get'. This should return the real route chosen. You could always try the ping and then check the route cache. This should help you identify the actual route chosen. Here's what's happening. - kernel gets packet and needs to select a route - according to rule 0, we look up in table local - perform route lookup in table local--no match! - according to rule 50, we look up in table bluff - perform route lookup in table local--no match! - according to rule 32767, we look up in table main - perform route lookup in table main-- MATCH! - route packet out default gateway If you add a route to table bluff as follows, you should effectively prevent 192.168.5.0/24 from reaching any network other than 192.168.5.0/24. ip route add blackhole default table bluff Now, any packets addressed from 192.168.5.0/24 will be blackholed. This may not be quite what you desire, particularly if packets addressed from 192.168.5.0/24 are created by your own router, so you could always say: ip rule del prio 50 from 192.168.5.0/24 table bluff ip rule add prio 50 from 192.168.5.0/24 iif eth1 table bluff Then again, you don't describe your network completely, so I could be steering you wrong here. And by the way, unless you have some very strange (but not inconceivable) routes on your hosts inside the 192.168.5.0/24 network, you won't need to specify the route 192.168.5.0/24 dev eth1 scope link in table bluff. : Is this related to SNAT? In my opinion that should come : afterwords since SNAT in in the POSTrouting chain. Nope! No SNAT problem here! -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
