Networking :: Route Type Unreachable Overriding Local Packet Generation For Marking Packets
Jun 16, 2010
My issue is with linux routing tables using iproute2, coupled with the iptables MARK target. When I create a rule to lookup a table with iproute2, and the routing table routes an address as type unreachable (or blackhole, or prohibit), if a higher priority rule does a lookup to another table that routes the address as type unicast but that higher priority rule also matches on a fwmark, the packet to that address is never generated locally to even go through iptables packet filtering/mangling in order to mark it, because the lower priority rule that doesn't match on a fwmark says it's unreachable. For example, I have 2 rules installed with ip:
Code:
10: from all fwmark 0x1000 lookup routeit
20: from all lookup unreach
ip route list table routeit
[code]....
Now, in the packet filter, I have an iptables rule to mark packets to destination 10.0.0.5 with 0x1000 in the mangle table and OUTPUT chain. When I generate a packet locally to 10.0.0.5, all programs get ENETUNREACH (tested with strace). However, if I take out the route entry that 10.0.0.0/8 is unreachable, it all works fine and the routes in the routeit table get applied to marked packets (I know because my default gateway would not be 1.2.3.4, but wireshark shows packets being sent to the MAC address of 1.2.3.4).
The best I can surmise is that when generating a packet locally, the kernel tests the routing tables in priority order but without any mark to see if it is unreachable/blackhole/prohibit, and doesn't even bother generating the packet and traversing iptables rules to see if it would eventually be marked and thus routed somewhere. Then I assume after that step, it traverses iptables rules, then traverses the routing tables again to find a route. So is there any way around this behavior besides adding fake routes to the routing table (e.g. routing 10.0.0.5 to dev lo in the unreach table in this example)?
|eth0 (a.a.a.a) | Linux PC |<----------------> | ROUTER |eth1 (b.b.b.b) | |<----------------->|
the linux machine has two interfaces eth0 (a.a.a.a) and eth1 (b.b.b.b) connnected to two interfaces of a router. Now that if I send any packet destined to b.b.b.b from a.a.a.a interface on the linux machine, it should take the folowing path: eth0->router->eth1 . and it should be the same for vice versa.
br0 - 192.168.0.1 - Internet eth2 - 192.168.1.1 - LAN tun0 - 10.0.0.2 - VPN (via br0)
What I'd like to do is to route all TCP packets coming from eth2 to tun0 where a VPN client is running on 10.0.0.2. If I delete all default routes and if I add a new route to tun0 like :
Code:
route del default route add default gw 10.0.0.2
Everything is fine, and everyone on eth2 can reach the Internet using the VPN access. Now the problem is that my VPN client does not allow any other protocols other than TCP. And I also want to allow VPN access only to eth2, no other LAN nor the router itself. use iptables to filter any TCP packets and mark them, so they can be sent to tun0, while any other packets can reach the Internet via br0 (192.168.0.1). I found on the Internet that we can mark packets before they get routed. Using the following commands :
Code:
iptables -t mangle -A PREROUTING -j MARK --set-mark 85 -i eth2 -p tcp --dport 80 ip route add table 300 default via 10.0.0.2 dev tun0 ip rule add fwmark 0x55 table 300
First of all, --dport 80 never work... :/ I wanted to filter TCP 80 packets coming from eth2, but none of them seems to be HTTP packets... oO (very strange...). Nevermind, I decided to forget about the --dport option. I use the "iptables -L -v -t mangle" command to see how many packets are marked, and it is working fine, all TCP packets coming from eth2 are marked. Now the problem is that none of them are routed to tun0 they are all respecting the "route -n" rules... and not the "table 300" rule I have created.
I am learning about net filters and I am practicing some sample programs on it. I am very new to this and I have a general query. I got the packet to a desired function using PRE_ROUTING hook. Now how do I frame a packet from this point? I am just trying to simulate a echo client server program in the kernel level using these hooks. Any useful info on sockets in the kernel level?
I have two NIC's interfaces on my linux machine(eth1 and eth2). Each have different IP addresses(10.0.0.1, 10.67.7.1). These two interfaces are connected together through hub. Here is the my question?
1) If I 'ping 10.0.0.1', it should go out through network interface eth2 and through hub and enter on eth1 and response also travel through similar direction.
2) If I 'ping 10.67.7.1', it should go out through network interface eth1 and through hub and enter on eth2.
How can setup routing table for this,I have tried setting up routing and iptables, etc.. nothing helped.
If any one good router/networking guy, you should know this one.I am doing a project, I want this way to handle this.
I need to route packets coming from a standalone switch port which is a mirror ("tap") of another port ("source"). I can't seem to forward packets whose MAC address is for a different device (the actual "target" of "source"). My device is in promisc mode,I can see the incoming packets in tcpdump and Wireshark. The only packets which get forwarded are those which have my MAC destination address (I changed the wiring to come straight from source and not the mirror port, to get "my" MAC address in the packet). My routing table is configured to forward and I have ip_forwarding enabled, obviously (otherwise packets sent to my MAC wouldn't route). By the way, the incoming packets are all VLAN tagged and I have matching subinterfaces.
Q1 - is this inherent, that packets won't get "passed up" to the IP layer unless the MAC addresses match?
Q2 - Would ebtables be a good solution, i.e. rewrite the dest MAC address to my own MAC addr and send to the INPUT target?
My linux machine is connected to the outside internet, and I have a minecraft server running on an internal machine (192.168.1.201). Right now, I am forwarding port 80 on the linux machine to 192.168.1.30, which is working.
# Generated by iptables-save v1.4.5 on Mon Jan 11 12:22:25 2010 *raw :PREROUTING ACCEPT [1038480:666298388]
[code]....
somehow iptables -t nat -A PREROUTING -i eth2 -d x.y.z.a -j DNAT --to-destination 192.168.1.1 helps, but imho there should be some other solution. kernel is 2.6.31.6, architecture is x86_64.
P.S. i've also tried iptables -A POSTROUTING ! -d x.y.z.a -s 192.168.1.0/24 -j MASQUERADE that didn't help either.
I try to boot Fedora 10 without initrd. System boots normally if I make in some nodes in /dev such as /dev/console. Almost everything works fine, but when I try ping with record route option -R I get this error
Quote:
ping: record route: No message of desired type
If I boot with initrd ping -R works without this error. Iptables not running.
Also this error appear when I try to boot from LiveCD F11-Alpha-i686-Live-KDE.iso or other Fedora 10 LiveCDs.
On my system, I have built my own tunneling protocol, where I relay packets over a non-standardized but verified medium. What I do is capture the packets using iptables and NFQUEUE, relay them over my medium, and at the other end I reinject them using raw sockets. The packet going into the tunnel is exactly the same as the one coming out, verified. The problem is that this doesn't work for ICMP Ping (Echo Request) if the destination of the ping is the same as the tunnel endpoint. If the destination is not the same as the tunnel endpoint, the ping packet is rerouted and arrives as it should at the receiver, and the ping reply comes back to the sender. Does anyone know whats going on? Isn't it possible to send raw icmp to yourself? If not, anyone have an idea what I should do instead?
I'm using kubuntu 9.10 desktop edition as a server and I set the IP statically, what happens is that when I ping it from another machine on the same network, I get intermittent packet loss (up to 80% and sometimes even higher). When I ping any other machine on the local network everything's fine with 0% packet loss. Packets go directly through switch, no router or anything in between.
I suspected wiring issues, but that doesn't seem to be the problem after I changed the wiring. I was connected to wireless and suspected that but no go either. Same thing when I turn wired. I just changed the ethernet card suspecting drivers but that's no good either. Iptables is a cleanslate installation, it's totally empty.
i made a video and i wanted to put it on my myspace(video upload) and it justs fade to grey and becomes unresponive. that it goes back to normal but no progress. so then i tried going to image shack and uploading a picture. can't do that either. tried mediafire, videos, vimeo, nothing.
so i tried on my desktop(desktop running 9.10 32 bit. laptop(the first one i tried) running 9.10 64 bit. it didn't work on that either. i know it's not my isp because it works on my ps3(no ubuntu). not my firewall and tried without without my router. didn't work either. i tried upgrading flash on both of them and on my desktop i can upload some pictures to imageshack now. nothing else though. i have tried using both firefox and opera.
i pinged yahoo and this is what i got:
6 packets transmitted, 6 received, 0% packet loss, time 5007ms rtt min/avg/max/mdev = 72.732/73.437/75.024/0.761 ms
i have a linux server runnig oracle applications. i need to access this server from putty using ssh through internet. i did by registering my static ip with the dnydns.org and i am able to connect to the server. but now there is no security to authenticate any user as any one knowing the password can login to it.
i thought of configuring the firewall of linux server but the client ip`s are not static and they change continiously. so thought of keeping one more pc between the server and the router which will do the work of authenticating. but i am confuse as how to configure it to allow the packets coming from the internet after authenticating and to by pass the packets generated from internal LAN?
I am the new user to ns-2. I would like to know is it possible to send the keys or some value as the packet data (content of the packet) in ns-2 (for wireless environment).
This may or may not be an easy question, as I'm somewhat uninformed in the networking side of computer science. I own a rented server with a static ip address. Is there a way that I can forward requests from it to my computer to setup a LAN network of sorts over the internet. Specifically, there is a program I would like to use that requires LAN (you enter an IP to connect to). Is it possible to setup my server in a way that users could connect to my server's ip, which would then forward it to my home computer (I'm fine with setting up my home computer with programs that would allow this) that could host?
I got this definition:"a process that replaces a series of related, specific routes in a route table with a more generic route." honestly I found it not so clear.. I want to know if this definition is correct and also more details about this subject..
Having trouble getting my Netgear WNA1000 working thru wireless router. Have tried lots of suggestions from other threads to no avail. Someone suggested that th routing table isn't set correctly, so have been trying to use the follwing to make the proper entry in the routing table: sudo route add -net 192.168.0.1 netmask 255.255.255.0 dev wlan0
Result: error message stating with: "route: netmask does not match route address"
followed by "Usage" instructions which tell me to do what I just did. Any ideas on how I can populate my routing table with correct entry for my wireless card? Not to complicate matters, but I temporarily turned off encryption on my router to eliminate that as a possibility until I get connected. So maybe it'still trying to connect via encrypted mode - do I need to turn off encryption on my (client) end?
I want to run ssh-keygen -f [filename] but also specify no password. I know the -N option is used to specify the password but putting -N with nothing after it isn't permitted.
I find it very frustrating that documentation suggests using PEERDNS=no in /etc/sysconfig/network-scripts/ ifcfg-eth0 in order to override resolv.conf information only to find out that both NM and network init scripts ignore DNS1, DNS2 and DOMAIN settings.So my question is how do I correctly configure resolv.conf settings that will persistently override dhcp information on a F12 system that has NM removed and uses the network service scripts?
I have a hardware device with two ethernet ports, eth0 and eth1 running Centos 5. Basically my goal is to forward packets from eth0->eth1 and eth1->eth0 as well as get a copy of these packets for analysis. If I set IP routing to do the forwarding then I won't get a copy of the packets for analysis.
This is on Ubuntu 10.04 Server Edition. The ethernet cord was disconnected one day. I plugged it back in to find I can ssh to and from that machine, but I cannot update or browse the web (elinks) on it. I tried "ifconfig eth0 up" which did nothing. Why is it that only local connections work?
I have a ubuntu desktop 9.10 that is used as a file server and occasionally as a desktop. My problem is after about 15 min of idle the server can not be accessed by other computers. I attempted to disable power management but Im not sure if i did that correctly. Where should i look for problems?
I have two linux servers, I tried to ping from one linux box to another and vice versa but error message is "connect: Network is unreachable" Where as If I tried from windows machine I am getting the reply from both the servers. C:Documents and Settings>ping bnkprod
Pinging bnkprod.softtech.com [172.20.40.141] with 32 bytes of data: Reply from 172.20.40.141: bytes=32 time=16ms TTL=64 Reply from 172.20.40.141: bytes=32 time<1ms TTL=64 Reply from 172.20.40.141: bytes=32 time<1ms TTL=64 Reply from 172.20.40.141: bytes=32 time<1ms TTL=64
Ping statistics for 172.20.40.141: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 16ms, Average = 4ms
