Bill Fink wrote:
This is where I become somewhat confused as to what you're trying
to accomplish. You want packets from your private net to your DMZ
to be routed out to the Internet and back rather than directly out
to the DMZ???
Yess. I know, stupid thing, but now I would like to understand where
is the problem.
> > > tcpdump -p -n -i eth0 host ip 'HDSL public network host'
> > > 17:39:12.999287 IP 'ADSL IP' > 'HDSL public network host': ICMP echo
> > > request, id 256, seq 6656, length 40
> > > 17:39:13.037471 IP 'ADSL IP' > 'HDSL public network host': ICMP echo
> > > request, id 256, seq 6656, length 40
I didn't look at this tcpdump output closely enough before. Now that
I look at it again this does not appear to be a tcpdump artifact since
there is almost a 40 ms difference in the timestamps. Instead it appears
as if the packet has been routed out to the Internet and back and is now
being received on eth0 (presumably from your HDSL router).
Yes: packet are goining out through the adsl router and they are coming
back through the hdsl router :-))
Also I'm getting the echo reply when I ping the "HDSL router ip" from the
172.16.1.15 host :-)
You can
verify this by adding the "-vv" and "-e" parameters to tcpdump, which
will let you see if the TTL has been decremented
Yes, TTL are decremented and MAC addresses are looking fine.
> Ok. Please correct me:
>
> 1) Packet start on 172.16.1.15 box. Destination IP is 'HDSL public
network
> host'
> 2) I'm snatting those icmp packets with 'ADSL IP'
> 3) I'm marking those packet with "mark 2"
> 4) I'm routing this packet through "ADSL router"
> 5) packet leaving eth0 has source ip='ADSL IP' and destination ip='HDSL
> public network host'
> 6) the above packet should be sent to the internet by "ADSL router".
Right?
Right.
> 7) "HDSL router" should receive the above packet from the internet and
> should send it
> to eth0. Right?
Right.
Ok, this is happening.
> 8) why I don't see on eth0 the above packet?
Wrong phrase: I see the the packet, tcpdump logs the packet with
a smaller TTL.
I now think you are. The packet is probably just being dropped at
this point. Such a packet with a source IP address of your ADSL IP
coming in from the Internet destined for your HDSL public network
host would normally be considered a classic case of a spoofed
source IP address, and an excellent reason for discarding such
a packet by the kernel.
Aha!
This is controlled by the rp_filter sysctl parameter, as documented
in the /usr/src/linux/Documentation/networking/ip-sysctl.txt file:
rp_filter - BOOLEAN
1 - do source validation by reversed path, as specified in RFC1812
Recommended option for single homed hosts and stub network
routers. Could cause troubles for complicated (not loop free)
networks running a slow unreliable protocol (sort of RIP),
or using static routes.
0 - No source validation.
conf/all/rp_filter must also be set to TRUE to do source
validation
on the interface
Default value is 0. Note that some distributions enable it
in startup scripts.
So check your /proc/sys/net/ipv4/conf/*/rp_filter settings.
Ok. I have checked this settings. My firewall set rp_filter to 1. I have
set all rp_filter (lo, eth0, eth1, eth2, all, default) to 0, but nothing
as changed: I don't see any packet on eth1
Perhaps is there any other flag?
It could also be as simple as you needing a FORWARD rule for your
ADSL IP address.
I have also tried this:
iptables -P FORWARD ACCEPT
Anything else to try?
Thanks a lot for the feedback.
PS: I have proxy_arp enabled on the eth0 device, but I think this
should not be relevant for this issue.
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
