Policy routing and Linux
bscott at ntisys.com
bscott at ntisys.com
Mon Apr 26 21:18:00 EDT 2004
On Mon, 26 Apr 2004, at 7:27pm, bscott at ntisys.com wrote:
> ... the commands I type don't seem to work. The system accepts them, and
> appears to make changes to the routing tables, but the packets still end
> up going out the wrong interface.
Turns out that is not entirely true. I was testing my routing
configuration by using a NetFilter DNAT (port forwarding) rule. That
appears to be where things are not working. My policy routing configuration
works just fine if I connect to a service running on the firewall itself.
Our firewall normally doesn't run any publicly exposed services, for
security reasons. So I temporarily added the "echo" service, and found it
worked as desired.
So it appears that NetFilter DNAT and iproute2 policy routing are not
working together. Looking at a diagram of kernel routing internals, I begin
to suspect why. I think NetFilter is not reversing the DNAT translation on
the outbound until the packet has already transversed the kernel router, so
the routing policy database thinks the packet is coming from the LAN, and
thus does not apply the right policy rule.
Solving this problem will have to wait for until another day. If anyone
knows the answer already, your assistance will be welcomed.
--
Ben Scott <bscott at ntilinux.com>
More information about the gnhlug-discuss
mailing list