hi,
Damn!!! yes I forgot to mention this. This is to do with "anti
spoofing". In Redhat distro's it is switched on by default.
A brief simplistic explanation:
A packet is routed to your machine based on the destination address
(obvious), the source address isn't checked along the the route, and
you could put anything in there. The final delivery to a computer is
based on the MAC of the interface card, the interface card doesn't even
understand IP let alone do any address checking. This means that someone
could send you malicious packet(s) with a source IP address that is in
the range used on your internal LAN, in other words a friendly address.
This then is the "spoof"
The anti-spoofing mechanism checks the source address of the packets and
the interface it arrived on and reconciles that against the IP subnet
that is associated with that interface. If there there is a mis-match
the packet is discarded. For example: if your internal LAN is using
10.7.1.0/24 on eth1 then a packet arriving on eth0 with a source
address in that range will be discarded.
This next bit is a guess because I have not read it anywhere: The
anti-spoofing mechanism also does not allow you to transmit packets out
of an interface with destination addresses that are not appropiate for
that LAN. The exception of course is the interface which is seen as the
route to the "default gateway" as listed in the "main" routing table.
You can now see why you need to remove the anti-spoofing mechanism from
the second Internet interface. Just declaring a second "default gateway"
in another routing table does not change things.
Now that that automatic protection has been removed from the second
Internet interface you should put some rules in your iptables to compensate.
Finally if you think that by hiding behind a FW doing NAT no one out
there on the internet can see your internal addresses then you would be
wrong. Apart from other applications your Internet browser tells the
world what IP address your PC is using.
Regards Mike.
Janis Daniel Bistevins wrote:
Thanks Michael for your answer!
I finally did it in a way simillar as you described. Marking pakets
and using nat. BUT everything start working great when I found a
little detail:
echo "0" > /proc/sys/net/ipv4/conf/eth1
/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/eth2/rp_filter
Without this, things were confused.
Where this come from? I found this trick in a HowTo from a Spain site:
http://bulma.net/body.phtml?nIdNoticia=1615
Nowhere else!
So, what I did, is a common mistake? Is this assumed by default in
every configuration and because of this, there is no comments about
this in any other tutorial or howto?
Anyway, ones again Mike, thank you!!
Best regards
J.D.Bistevins
On 12/20/05, *Michael Davidson* <michael@xxxxxxxxx
<mailto:michael@xxxxxxxxx>> wrote:
Hi,
There is another way to do this, but I doubt that it is anymore
elegant than what you have right now. I have just completed this same
task and I can say that if I could have used your method - overlaying
another subnet -I would have done so since it's a cleaner solution
in my
view.
I used iptables to "mark" the packets of the flows that where
generated
by the server ( WWW).
I created a second routing table with it's own default route.
I created an "ip rule" which looks for a "mark" on the packets and
directs those packets to the new routing table.
Keep in mind, for this to work correctly you need to be using NAT or
Masquerade on at least one of your ISP ports.
Regards Mike
------------------------------------------------------------------------
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
--
Regards Mike.
Michael Davidson
Barone Budge & Dominick
Email: michael@xxxxxxxxx
Office: +27 11 532 8380
BB&D : +27 11 532 8300
Fax: +27 11 532 8400
Mobile: +27 82 650 5707
Home: +27 11 452 4423
This e-mail is confidential and subject to the disclaimer published at
http://www.bbd.co.za
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
