iptables applied only on 'main' kernel routing table?

To: debian-firewall@lists.debian.org
Subject: iptables applied only on 'main' kernel routing table?
From: Jean Christophe ANDRÉ <jean-christophe.andre@auf.org>
Date: Tue, 11 Nov 2003 02:05:59 +0700
Message-id: <[🔎] 20031110190559.GB4729@virus.home>

	Hi everybody!

I am not sure what I am doing wrong, but by now I keep stuck with some
iptables rules (especialy NAT ones) not applied when I try to use a
second routing table with the 'ip route' and 'ip rule' commands...
I still have not fully read the LARTC (it's huge!), but I think I have
read the concerned part, and was not able to find anything about this...
If someone can help me by giving any hint or pointer!

Here is a (simplified) scheme of my firewall:

   ISP1 (leased line, public IP addresses: a.b.c.1/28)
    :eth0:a.b.c.2/28 (eth0:0:a.b.c.3/28 => DNAT 10.200.0.3)
    |
    |    ... ISP2 (ADSL link, private IP addresses: 10.0.0.2/24)
    |   /eth1:10.0.0.1/24
  +-o--o-+
  |      |eth2:10.200.0.1/24
  |  FW  o----o--------o-- local network (private IP addresses: 10.200.0.0/24)
  |      |    |.10     |.3
  +------+ +--o--+   +-o-+
           |     |   |   |
           +-----+   |SRV|
           /_____\   |   |
                     +---+

Here is my configuration (Woody, kernel 2.4.18-1-586tsc):

  # ip rule
  0:      from all lookup local
  32765:  from 10.200.0.10 lookup ADSL
  32766:  from all lookup main
  32767:  from all lookup default

  # ip route show table local (from interfaces, I didn't touch it)
  local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1
  local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1
  broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1
  broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1
  local a.b.c.2 dev eth0  proto kernel  scope host  src a.b.c.2
  local a.b.c.3 dev eth0  proto kernel  scope host  src a.b.c.2
  broadcast a.b.c.15 dev eth0  proto kernel  scope link  src a.b.c.2
  local 10.0.0.1 dev eth1  proto kernel  scope host  src 10.0.0.1
  broadcast 10.0.0.0 dev eth1  proto kernel  scope link  src 10.0.0.1
  broadcast 10.0.0.255 dev eth1  proto kernel  scope link  src 10.0.0.1
  local 10.200.0.1 dev eth2  proto kernel  scope host  src 10.200.0.1
  broadcast 10.200.0.0 dev eth2  proto kernel  scope link  src 10.200.0.1
  broadcast 10.200.0.255 dev eth2  proto kernel  scope link  src 10.200.0.1

  # ip route show table ADSL (from my own, does it miss "proto kernel"?)
  local 127.0.0.1 dev lo  scope host  src 127.0.0.1
  local a.b.c.2 dev eth0  scope host  src a.b.c.2
  local a.b.c.3 dev eth0  scope host  src a.b.c.2
  local 10.0.0.1 dev eth1  scope host  src 10.0.0.1
  local 10.200.0.1 dev eth2  scope host  src 10.200.0.1
  127.0.0.0/8 dev lo  scope link  src 127.0.0.1
  a.b.c.0/28 dev eth0  scope link  src a.b.c.2
  10.0.0.0/24 dev eth1  scope link  src 10.0.0.1
  10.200.0.0/24 dev eth2  scope link  src 10.200.0.1
  default via 10.0.0.2 dev eth1
  default via a.b.c.1 dev eth0  metric 1

  # ip route show table main (from interfaces, only added second default)
  a.b.c.0/28 dev eth0  proto kernel  scope link  src a.b.c.2
  10.0.0.0/24 dev eth1  proto kernel  scope link  src 10.0.0.1
  10.200.0.0/24 dev eth2  proto kernel  scope link  src 10.200.0.1
  default via a.b.c.1 dev eth0
  default via 10.0.0.2 dev eth1  metric 1

What I'm trying to do, and which is not working, is to communicate from
an internal host (10.200.0.10) to an internal server (10.200.0.3) using
it's public IP address (a.b.c.3). It's usually working using DNAT, and
forcing SNAT when the request come from the internal network so it will
comme back to the FW for un-[SD]NATing. It stops working when I put a
'ip rule add from 10.200.0.10 table ADSL'.

Here are my iptables rules (reduced set, yes, there is filtering aside):

  *nat
  -A PREROUTING -d a.b.c.3 -j DNAT --to-destination 10.200.0.3
  -A POSTROUTING -s ! a.b.c.2 -o eth0 -j SNAT --to-source a.b.c.2
  -A POSTROUTING -s ! 10.0.0.1 -o eth1 -j SNAT --to-source 10.0.0.1
  # gone through FW because of DNAT, so SNAT it to make it back for un-DNAT
  -A POSTROUTING -s 10.200.0.0/24 -d 10.200.0.0/24 -o eth2 -j SNAT --to-source 10.200.0.1
  COMMIT

Any comment (even private flames) are welcome...

Regards, J.C.
-- 
J.C. 《プログフ》 ANDRÉ <jean-christophe.andre@auf.org> http://www.vn.refer.org/
Coordonnateur technique régional / Associé technologie projet Reflets (CODA)
Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP)
Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam
Tél. : +84 4 9331108   Fax : +84 4 8247383   Mobile : +84 91 3248747
⎧ Note personnelle : merci d'éviter de m'envoyer des fichiers PowerPoint   ⎫
⎩ ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html ⎭

Reply to:

Follow-Ups:
- Re: iptables applied only on 'main' kernel routing table?
  - From: Jean Christophe ANDRÉ <jean-christophe.andre@auf.org>

Prev by Date: Re: Logging
Next by Date: Re: iptables applied only on 'main' kernel routing table?
Previous by thread: Re: Problems with iptables ECN target
Next by thread: Re: iptables applied only on 'main' kernel routing table?
Index(es):
- Date
- Thread