* Benoit Panizzon <200504201436.13402.benoit.panizzon@xxxxxx> 2005-04-20 14:36
> eth0: 10.0.0.1 (time.example.com)
> tun-A: 192.168.0.1 (with the 192.168.1.0/24 net attached on the other side)
>
> Now some client from the other side of the tunne sends a ntp request to
> time.example.com (10.0.0.1)
> This arrives via the tunnel to the box and get's answered by ntpd who of
> courses sees that 192.168.0.1 is the right interface to send the reply out.
>
> The client sees the ntp answer comming from 192.168.0.1 which is not where the
> request was sent to (10.0.0.1) and discards that reply.
What happens is that when ntpd sends out the reply it looks up the route
for 192.168.0.0/24 and elects the source attribute as its source address.
Obviously you don't want to use 192.168.0.1 to address the host so you
can hide it by setting src = 10.0.0.1 for the tunnel route, e.g.
ip r d 192.168.0.0/24 dev tun-A
ip r a 192.168.0.0/24 dev tun-A src 10.0.0.1
So you should have something like this:
10.0.0.0/24 dev test scope link src 10.0.1.1
9: test@eth0: <POINTOPOINT,NOARP,UP> mtu 1476 qdisc noqueue
link/gre 192.168.23.12 peer 192.168.23.1
inet 10.0.0.1/24 scope link test
the address you want to distribute:
inet 10.0.1.1/32 scope global eth0
So when you do a:
tgr:axs ~ echo "abcd" | nc -u 10.0.1.1 echo
abcd
15:43:14.327883 10.0.0.2.32793 > 10.0.1.1.echo: udp 5 (DF)
15:43:14.328196 10.0.1.1.echo > 10.0.0.2.32793: udp 5 (DF)
Proof:
ip r d 10.0.0.0/24 dev test src 10.0.1.1
ip r a 10.0.0.0/24 dev test
tgr:axs ~ echo "abcd" | nc -u 10.0.1.1 echo
15:47:36.367586 10.0.0.2.32794 > 10.0.1.1.echo: udp 5 (DF)
15:47:36.367948 10.0.0.1.echo > 10.0.0.2.32794: udp 5 (DF)
15:47:36.368295 10.0.0.2 > 10.0.0.1: icmp: 10.0.0.2 udp port 32794 unreachable [tos 0xc0]
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
