packet mangling and routing

Michael L Torrie torriem at chem.byu.edu
Tue Oct 16 13:05:39 MDT 2007


Lonnie Olson wrote:
> On Tue, 2007-10-16 at 08:58 -0600, Michael L Torrie wrote:
>> This is for any iptables and networking gurus out there.  I have a
>> server that sits on both the BYU private and public network.  The one
>> NIC is on a 10.x.x.x/24 network, and the other is on the 128.187.x.x/24
>> network.  This is, of course a bit of a problem, because there can be
>> only one default route.  Now one would think, then, that we could
>> trivially add static routes, keeping 10.x traffic on the one NIC, and
>> then everything else on the 128.187 NIC.  But the problem is that inside
>> of BYU, computers who are also on the 10.x network can reach both 10.x
>> addresses *and* 128.187. addresses.  So in the worst case, traffic from
       ^^^^^^^^^^^^^^^^^^^^^
You missed this relevant info.

>> a fellow 10.x node will come in the 10.x NIC and return traffic will go
>> out the 128.x NIC, which  I don't think is going to really work,
>> especially if the originating computer is running a firewall, since
>> connection tracking just isn't going to work, and the packet won't be
>> recognized as being a reply.
> 
> Why won't this work?  If a fellow 10.x node requests traffic from your
> 10.x address, the source IP is 10.x.  There should be a route in the
> routing table for the 10.x network to traverse the private interface.
> No problem, exactly what you want.

It doesn't work because traffic from a 10.x address can actually reach
and come in the 128 interface.  With your routing rules, as long as the
10.x addresses only tried to reach the 10.x NIC, then things would work
fine.

To complicate matters, BYU does not support a split DNS, so I can't say
"hostname" is 10.x.x.x when asked by a 10.x host, and 128.x.x.x when
asked by anyone else.

> 
> The routing table is consulted per packet, not per connection.  The
> default route is only used when a connected or static route doesn't
> exist.

I'm sure a packet would make it back to the requesting computer, even if
it was going out the wrong interface.  However, the calling computer
would likely discard it, since it's not coming from the same ip address
as the original destination.  Linux iptables, for example would not see
it as a related packet when tracking connections.  So udp and tcp things
would likely not work, but ping would.

> 
> Example routing table:
> Destination	Genmask		Gateway		Iface
> 0.0.0.0		0.0.0.0		128.187.0.1	eth0
> 128.187.0.0	255.255.255.0	0.0.0.0		eth0
> 10.2.0.0	255.255.255.0	0.0.0.0		eth1
> 10.0.0.0	255.0.0.0	10.2.0.1	eth1
> 
> Explanation.  eth0 is the public interface.  eth1 is the private.  
> There are two connected routes (public and private), a default route,
> and a static route.  No outbound packets destined to 10.x addresses will
> ever touch the public interface, no matter what interface the packet
> comes in on.  
> 
> The key is to remember that routing is per packet by destination.  It is
> perfectly valid to have return traffic travel through a different
> interface than the source traffic.
> 
> --lonnie
> 
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
> 




More information about the PLUG mailing list