URGENT: Problem with source-based routing and masquerading.

To: debian-firewall@lists.debian.org
Cc: Paul.Russell@rustcorp.com.au
Subject: URGENT: Problem with source-based routing and masquerading.
From: Rene Mayrhofer <rene.mayrhofer@vianova.at>
Date: Tue, 14 Dec 1999 15:07:24 +0000
Message-id: <[🔎] 38565D2C.5424309F@vianova.at>

Hi all

I have a very urgent problem. 

At the moment I am trying to do source-base routing with kernel 2.2.13.
The machine should be a router with 12 network ports and two port per
customer. Each customer uses one port for his internal network and one
port for the connection to his Internet provider.
When I use static routing, it works perfectly. A ping from the customer
1 internal network is sent out over the correct port to the Internet
provider of customer one. The same for customer 2.
But when I try to masquerade the connection, it does only work for
provider one.

The routing tables:
- routing table main contains all routes to the networks that are
directly connected to the interfaces.
- there is one routing table for each customer and each has only a
default route

The routing rules:
- the main table is selected
- the customer routing tables are selected according to the incoming
interface 
- the last rule is selects the routing table of customer one for
incoming interface lo

The setup works when the customers use official addresses and the router
itself can also connect to the Internet (this is why the last rule is
set - the router itself uses the Internet provider of customer 1).
When the customers use private addresses, the router creates packets
that seem to come from the lo interface, for what I know. And the router
sends the packets with the correct source address over the correct
interface. But when the packet comes back (e.g. a ping) from the
Internet, it is not demasqueraded, but discarded. 
I inserted logging rules in the input, output and forward chains and I
see exactly this happening:
1. incoming: a packet from a private address coming from the customer
LAN
2. forwarding: the same packet
3. output: the same packet, but source address changed to the address of
the external interface of this customer (outoing of the correct
interface)
4. input: the packet coming back fomr the Internet, source address is
the Internet host, destination address is the address of the external
interface (also correct)
NOTHING ELSE

Another manifestation of the same problem: I can not ping the address of
the external interface of customer 2 from the Internet. I can only ping
customer 1 (remember: all packets coming from interface lo are routed
over customer 1's Internet provider).
How does the ping reply work ? Are the reply packets send from interface
lo ? With which source address on them ? 
I think that the source address of the ping reply packets is incorrect,
because even when they go out over the wrong interface (the Internet
provider of customer 1 instead of cutomer 2), they should reach the
pinging host and that should recognize the reply.
Can it be that the source address is generated from the routing table
(in this case: the default route for packets from interface lo points to
another interface) and not set the same as the address that the ping was
sent to ???

Thanks
Rene Mayrhofer

Reply to:

Prev by Date: Re: Which ICMP packets to filter, which to allow to pass?
Next by Date: OT: [Fwd: Linux Today: Richard Stallman -- Boycott Amazon!]
Previous by thread: Re: Which ICMP packets to filter, which to allow to pass?
Next by thread: OT: [Fwd: Linux Today: Richard Stallman -- Boycott Amazon!]
Index(es):
- Date
- Thread