On Tue, Feb 13, 2007 at 10:54:51PM +0100, Paul Viney wrote: > Thanks for the advice, Alex. I've been able to add both default routes - I > hadn't considered using the metric to avoid using the VPN link. > I guess I wasn't very clear with my use of 64.233.183.103, which was meant to > be a random internet address coming in over the VPN link, not the default > internet link. > what exactly does the " prohibit default proto static metric 100 " in your > routing table do? Haven't you already had a default route which would trigger > before reaching this rule? it been a while since I looked over this, but from memory, if the link goes down, it stops the route table being used > > I still seem to have much the same problem. I no longer get ICMP unreachable > errors, but the packet just seems to disappear - I can't see it being > forwarded on any interface, nor can I find any kind of reply - icmp or > otherwise. sounds like a firewall issue! > > ip route get <random internet address> to 192.168.12.5 gives > 192.168.12.5 dev eth3 src 192.168.12.1 > cache mtu 1500 advmss 1460 metric 10 64 > > ip route get <random internet address> to 192.168.12.5 iif eth1 gives > RTNETLINK answers: Invalid argument try ip r g <random internet address> from 192.168.12.5, I seem to be getting the same error as you > > Am I not understanding how "ip route get" works? The man pages are fairly > succinct in their explanation. > > Thanks for your help, > > Paul Viney > > > On Tuesday 13 February 2007 21:40, Alex Samad wrote: > > On Tue, Feb 13, 2007 at 02:50:13PM +0100, Paul Viney wrote: > > > Hi all, > > > > > > I'm trying to set up a computer with 2 routes to the internet, much as > > > described at http://lartc.org/howto/lartc.rpdb.multiple-links.html .One > > > of my interfaces (eth5, 192.168.2.2) is only used for traffic originating > > > inside the network. The other (eth1, 192.168.1.2) is only used for a VPN, > > > where all (udp) traffic originates from outside our network. I have > > > created a second routing table for eth1, with its own default gateway, > > > and selected it with ip rule from 192.168.1.2 iif lo lookup 4. All this > > > works fine. > > > My problem is that one of the udp ports is forwarded to another server > > > using iptables: > > > /sbin/iptables -t nat -A PREROUTING -i eth1 -p udp -d 192.168.1.2 --dport > > > 4902 -j DNAT --to 192.168.12.5:4902 > > > > > > using tcpdump on eth1, I can see that the incoming packets receive an > > > icmp rejection, and when I try something like > > > > > > ip route get 192.168.12.5 from 64.233.183.103 iif eth1 > > > I get "RTNETLINK answers: Invalid argument" > > > > > > If I try > > > ip route get 192.168.12.5 from 64.233.183.103 iif eth5 > > > I get > > > 192.168.12.5 from 64.233.183.103 dev eth3 src 192.168.2.2 > > > cache mtu 1500 advmss 1460 metric 10 64 iif eth5 > > > > > > which leads me to conclude that the difference has something to do with > > > the default route. > > > I've tried things like > > > ip rule add iif eth1 lookup 4 (4 being my custom routing table) > > > ip rule add from 192.168.1.2 lookup 4 > > > > > > and even > > > iptables -t nat -I PREROUTING -i eth1 -p udp -j MARK --set-mark 1 > > > ip rule from all fwmark 0x1 lookup 4 > > > ip route flush cache > > > > > > I'm using linux 2.6.19.2 + grsecurity patches, every option I could find > > > compiled in, on an up to date gentoo system. > > > > > > Can anyone see what I'm missing? > > > > > > Thanks, > > > > > > Paul Viney > > > > > > > > > ip route show > > > 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 > > > 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 > > > 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 > > > 127.0.0.0/8 dev lo scope link > > > default via 192.168.2.1 dev eth5 > > > > > > ip route show table 4 > > > 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 > > > 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 > > > 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 > > > 127.0.0.0/8 dev lo scope link > > > default via 192.168.1.1 dev eth1 > > > > > > ip rule show > > > 0: from all lookup local > > > 9999: from all fwmark 0x1 lookup 4 > > > 10000: from 192.168.1.2 iif lo lookup 4 > > > > if the ip address on eth1 is 64.233.183.103 then you need a rule > > 10001: from 64.233.183.103 lookup 4 > > > > I don't think the fwmark rule will work with ip route get. > > > > Plus your routing information in table 4, you are saying that the default > > address is available via 192.168.1.1 ???? that doesn't match up with > > 64.233.183.103 > > > > > > > > this is my ip ru > > 0: from all lookup local > > 200: from 144.132.147.156 lookup cable > > 201: from 60.241.248.86 lookup adsl > > 32766: from all lookup main > > 32767: from all lookup default > > > > > > 144.132.147.156 is one isp, 60.241.248.86 is the other one > > > > ip r sh tab cable > > 192.168.8.248/29 dev tap0 scope link src 192.168.8.249 > > 192.168.11.0/24 dev vlan0 scope link src 192.168.11.1 > > 192.168.10.0/24 dev eth1 scope link src 192.168.10.1 > > default via 144.132.144.1 dev vlan2 proto static src 144.132.147.156 > > metric 50 > > prohibit default proto static metric 100 > > > > > > ip r sh tab adsl > > 192.168.8.248/29 dev tap0 scope link src 192.168.8.249 > > 192.168.11.0/24 dev vlan0 scope link src 192.168.11.1 > > 192.168.10.0/24 dev eth1 scope link src 192.168.10.1 > > default via 10.20.20.168 dev ppp0 proto static src 60.241.248.86 metric > > 20 prohibit default proto static metric 100 > > > > ip r sh tab default > > default proto static metric 5 > > nexthop via 144.132.144.1 dev vlan2 weight 1 > > nexthop via 10.20.20.168 dev ppp0 weight 20 > > default via 10.20.20.168 dev ppp0 src 60.241.248.86 metric 20 > > default via 144.132.144.1 dev vlan2 src 144.132.147.156 metric 30 > > > > > > The difference for you should be in the default table, you will not need > > default proto static metric 5 > > nexthop via 144.132.144.1 dev vlan2 weight 1 > > nexthop via 10.20.20.168 dev ppp0 weight 20 > > > > > > cause you want all your traffic to go out 1 link. > > > > alex > > > > > 30000: from all lookup main > > > 30000: from all lookup default > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@xxxxxxxxxxxxxxx > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ > LARTC mailing list > LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
