Networking :: Route Type Unreachable Overriding Local Packet Generation For Marking Packets
Jun 16, 2010
My issue is with linux routing tables using iproute2, coupled with the iptables MARK target. When I create a rule to lookup a table with iproute2, and the routing table routes an address as type unreachable (or blackhole, or prohibit), if a higher priority rule does a lookup to another table that routes the address as type unicast but that higher priority rule also matches on a fwmark, the packet to that address is never generated locally to even go through iptables packet filtering/mangling in order to mark it, because the lower priority rule that doesn't match on a fwmark says it's unreachable. For example, I have 2 rules installed with ip:
Code:
10: from all fwmark 0x1000 lookup routeit
20: from all lookup unreach
ip route list table routeit
[code]....
Now, in the packet filter, I have an iptables rule to mark packets to destination 10.0.0.5 with 0x1000 in the mangle table and OUTPUT chain. When I generate a packet locally to 10.0.0.5, all programs get ENETUNREACH (tested with strace). However, if I take out the route entry that 10.0.0.0/8 is unreachable, it all works fine and the routes in the routeit table get applied to marked packets (I know because my default gateway would not be 1.2.3.4, but wireshark shows packets being sent to the MAC address of 1.2.3.4).
The best I can surmise is that when generating a packet locally, the kernel tests the routing tables in priority order but without any mark to see if it is unreachable/blackhole/prohibit, and doesn't even bother generating the packet and traversing iptables rules to see if it would eventually be marked and thus routed somewhere. Then I assume after that step, it traverses iptables rules, then traverses the routing tables again to find a route. So is there any way around this behavior besides adding fake routes to the routing table (e.g. routing 10.0.0.5 to dev lo in the unreach table in this example)?
View 2 Replies
ADVERTISEMENT
Oct 13, 2010
I want to build a topology of this kind:
|eth0 (a.a.a.a) |
Linux PC |<----------------> | ROUTER
|eth1 (b.b.b.b) |
|<----------------->|
the linux machine has two interfaces eth0 (a.a.a.a) and eth1 (b.b.b.b) connnected to two interfaces of a router. Now that if I send any packet destined to b.b.b.b from a.a.a.a interface on the linux machine, it should take the folowing path: eth0->router->eth1 . and it should be the same for vice versa.
View 1 Replies
View Related
May 8, 2011
I have 3 network interfaces on my Linux Router :
Interface - Gateway - Type
Code:
br0 - 192.168.0.1 - Internet
eth2 - 192.168.1.1 - LAN
tun0 - 10.0.0.2 - VPN (via br0)
What I'd like to do is to route all TCP packets coming from eth2 to tun0 where a VPN client is running on 10.0.0.2. If I delete all default routes and if I add a new route to tun0 like :
Code:
route del default
route add default gw 10.0.0.2
Everything is fine, and everyone on eth2 can reach the Internet using the VPN access. Now the problem is that my VPN client does not allow any other protocols other than TCP. And I also want to allow VPN access only to eth2, no other LAN nor the router itself. use iptables to filter any TCP packets and mark them, so they can be sent to tun0, while any other packets can reach the Internet via br0 (192.168.0.1). I found on the Internet that we can mark packets before they get routed. Using the following commands :
Code:
iptables -t mangle -A PREROUTING -j MARK --set-mark 85 -i eth2 -p tcp --dport 80
ip route add table 300 default via 10.0.0.2 dev tun0
ip rule add fwmark 0x55 table 300
First of all, --dport 80 never work... :/ I wanted to filter TCP 80 packets coming from eth2, but none of them seems to be HTTP packets... oO (very strange...). Nevermind, I decided to forget about the --dport option. I use the "iptables -L -v -t mangle" command to see how many packets are marked, and it is working fine, all TCP packets coming from eth2 are marked. Now the problem is that none of them are routed to tun0 they are all respecting the "route -n" rules... and not the "table 300" rule I have created.
View 4 Replies
View Related
Jul 14, 2011
I am learning about net filters and I am practicing some sample programs on it. I am very new to this and I have a general query. I got the packet to a desired function using PRE_ROUTING hook. Now how do I frame a packet from this point? I am just trying to simulate a echo client server program in the kernel level using these hooks. Any useful info on sockets in the kernel level?
View 1 Replies
View Related
Jan 18, 2010
I want to add this route but I am getting this error message. What is the reason of this problem? I cant add this route? how can i add?
Code: [root@linux/]# route add -net 10.1.0.0 netmask 255.255.0.0 gw 10.2.0.1 eth0 SIOCADDRT: Network is unreachable
View 11 Replies
View Related
Mar 11, 2010
I have two NIC's interfaces on my linux machine(eth1 and eth2). Each have different IP addresses(10.0.0.1, 10.67.7.1). These two interfaces are connected together through hub. Here is the my question?
1) If I 'ping 10.0.0.1', it should go out through network interface eth2 and through hub and enter on eth1 and response also travel through similar direction.
2) If I 'ping 10.67.7.1', it should go out through network interface eth1 and through hub and enter on eth2.
How can setup routing table for this,I have tried setting up routing and iptables, etc.. nothing helped.
If any one good router/networking guy, you should know this one.I am doing a project, I want this way to handle this.
View 9 Replies
View Related
Sep 16, 2010
I need to route packets coming from a standalone switch port which is a mirror ("tap") of another port ("source"). I can't seem to forward packets whose MAC address is for a different device (the actual "target" of "source"). My device is in promisc mode,I can see the incoming packets in tcpdump and Wireshark. The only packets which get forwarded are those which have my MAC destination address (I changed the wiring to come straight from source and not the mirror port, to get "my" MAC address in the packet). My routing table is configured to forward and I have ip_forwarding enabled, obviously (otherwise packets sent to my MAC wouldn't route). By the way, the incoming packets are all VLAN tagged and I have matching subinterfaces.
Q1 - is this inherent, that packets won't get "passed up" to the IP layer unless the MAC addresses match?
Q2 - Would ebtables be a good solution, i.e. rewrite the dest MAC address to my own MAC addr and send to the INPUT target?
View 5 Replies
View Related
May 7, 2011
My linux machine is connected to the outside internet, and I have a minecraft server running on an internal machine (192.168.1.201). Right now, I am forwarding port 80 on the linux machine to 192.168.1.30, which is working.
iptables -t nat -I PREROUTING -i eth0 -d 192.168.1.30 -j DNAT --to-destination 192.168.1.201
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.201
______________________________
I want to filter out the GET/POST requests and forward them to port 8080. I can't seem to get that working.
I've tried this:
iptables -A INPUT -d 192.168.1.30 -p tcp --dport 80 -m string --algo bm --string 'GET' -j REDIRECT --to-ports 8080
View 1 Replies
View Related
Jan 11, 2010
I've got router with: eth2 - local network (192.168.1.1), ppp0 - uplink (x.y.z.a)
my firewall:
Code:
# Generated by iptables-save v1.4.5 on Mon Jan 11 12:22:25 2010
*raw
:PREROUTING ACCEPT [1038480:666298388]
[code]....
somehow iptables -t nat -A PREROUTING -i eth2 -d x.y.z.a -j DNAT --to-destination 192.168.1.1 helps, but imho there should be some other solution. kernel is 2.6.31.6, architecture is x86_64.
P.S. i've also tried iptables -A POSTROUTING ! -d x.y.z.a -s 192.168.1.0/24 -j MASQUERADE that didn't help either.
View 10 Replies
View Related
Feb 17, 2009
I try to boot Fedora 10 without initrd. System boots normally if I make in some nodes in /dev such as /dev/console. Almost everything works fine, but when I try ping with record route option -R I get this error
Quote:
ping: record route: No message of desired type
If I boot with initrd ping -R works without this error. Iptables not running.
Also this error appear when I try to boot from LiveCD F11-Alpha-i686-Live-KDE.iso or other Fedora 10 LiveCDs.
View 3 Replies
View Related
Feb 21, 2011
On my system, I have built my own tunneling protocol, where I relay packets over a non-standardized but verified medium. What I do is capture the packets using iptables and NFQUEUE, relay them over my medium, and at the other end I reinject them using raw sockets. The packet going into the tunnel is exactly the same as the one coming out, verified. The problem is that this doesn't work for ICMP Ping (Echo Request) if the destination of the ping is the same as the tunnel endpoint. If the destination is not the same as the tunnel endpoint, the ping packet is rerouted and arrives as it should at the receiver, and the ping reply comes back to the sender. Does anyone know whats going on? Isn't it possible to send raw icmp to yourself? If not, anyone have an idea what I should do instead?
View 1 Replies
View Related
Jan 6, 2010
I'm using kubuntu 9.10 desktop edition as a server and I set the IP statically, what happens is that when I ping it from another machine on the same network, I get intermittent packet loss (up to 80% and sometimes even higher). When I ping any other machine on the local network everything's fine with 0% packet loss. Packets go directly through switch, no router or anything in between.
I suspected wiring issues, but that doesn't seem to be the problem after I changed the wiring. I was connected to wireless and suspected that but no go either. Same thing when I turn wired. I just changed the ethernet card suspecting drivers but that's no good either. Iptables is a cleanslate installation, it's totally empty.
View 9 Replies
View Related
Apr 20, 2010
do you know if there is any possibility to route/force non-vlan packet to a vlan interface in Linux?
View 2 Replies
View Related
Feb 21, 2010
i made a video and i wanted to put it on my myspace(video upload) and it justs fade to grey and becomes unresponive. that it goes back to normal but no progress. so then i tried going to image shack and uploading a picture. can't do that either. tried mediafire, videos, vimeo, nothing.
so i tried on my desktop(desktop running 9.10 32 bit. laptop(the first one i tried) running 9.10 64 bit. it didn't work on that either. i know it's not my isp because it works on my ps3(no ubuntu). not my firewall and tried without without my router. didn't work either. i tried upgrading flash on both of them and on my desktop i can upload some pictures to imageshack now. nothing else though. i have tried using both firefox and opera.
i pinged yahoo and this is what i got:
6 packets transmitted, 6 received, 0% packet loss, time 5007ms
rtt min/avg/max/mdev = 72.732/73.437/75.024/0.761 ms
View 1 Replies
View Related
Feb 8, 2010
i have a linux server runnig oracle applications. i need to access this server from putty using ssh through internet. i did by registering my static ip with the dnydns.org and i am able to connect to the server. but now there is no security to authenticate any user as any one knowing the password can login to it.
i thought of configuring the firewall of linux server but the client ip`s are not static and they change continiously. so thought of keeping one more pc between the server and the router which will do the work of authenticating. but i am confuse as how to configure it to allow the packets coming from the internet after authenticating and to by pass the packets generated from internal LAN?
View 8 Replies
View Related
Jul 12, 2010
I am the new user to ns-2. I would like to know is it possible to send the keys or some value as the packet data (content of the packet) in ns-2 (for wireless environment).
View 1 Replies
View Related
Aug 30, 2010
i need to write a program in c that can sniff packets from Ethernet and distinguish RTP packets from Non-RTP packets, i have no idea what should i do
View 9 Replies
View Related
Feb 22, 2010
I',m executing ping, but it didn't work, in order to find the mistake in my network I would like to know how to see the errors:
Code:
18 packets transmitted, 0 received, +12 errors, 100% packet loss, time 17038ms, pipe 4 I want to see this +12 errors. Could I do that?
View 2 Replies
View Related
Jul 2, 2010
This may or may not be an easy question, as I'm somewhat uninformed in the networking side of computer science. I own a rented server with a static ip address. Is there a way that I can forward requests from it to my computer to setup a LAN network of sorts over the internet. Specifically, there is a program I would like to use that requires LAN (you enter an IP to connect to). Is it possible to setup my server in a way that users could connect to my server's ip, which would then forward it to my home computer (I'm fine with setting up my home computer with programs that would allow this) that could host?
View 2 Replies
View Related
Apr 29, 2009
I would like to add a static route, however I do not understand what is meant by the Address setting below
GATEWAY2=10.241.58.62
NETMASK2=255.255.255.224
ADDRESS2=10.241.57.32
Does this mean any addresses beginning with 10.241.57.32 are routed over the gateway 10.241.58.62 an address range
View 3 Replies
View Related
Oct 21, 2010
I got this definition:"a process that replaces a series of related, specific routes in a route table with a more generic route." honestly I found it not so clear.. I want to know if this definition is correct and also more details about this subject..
View 1 Replies
View Related
Jan 25, 2011
Having trouble getting my Netgear WNA1000 working thru wireless router. Have tried lots of suggestions from other threads to no avail. Someone suggested that th routing table isn't set correctly, so have been trying to use the follwing to make the proper entry in the routing table: sudo route add -net 192.168.0.1 netmask 255.255.255.0 dev wlan0
Result: error message stating with:
"route: netmask does not match route address"
followed by "Usage" instructions which tell me to do what I just did. Any ideas on how I can populate my routing table with correct entry for my wireless card? Not to complicate matters, but I temporarily turned off encryption on my router to eliminate that as a possibility until I get connected. So maybe it'still trying to connect via encrypted mode - do I need to turn off encryption on my (client) end?
View 2 Replies
View Related
Aug 15, 2010
What is " 'name of packet.deb' is corrupted" ? How i do watch list of corrupted packets? How i do reinstall all corrupted packets?
OS: debian
View 3 Replies
View Related
Jan 7, 2010
I want to run ssh-keygen -f [filename] but also specify no password. I know the -N option is used to specify the password but putting -N with nothing after it isn't permitted.
View 4 Replies
View Related
Dec 15, 2009
I find it very frustrating that documentation suggests using PEERDNS=no in /etc/sysconfig/network-scripts/ ifcfg-eth0 in order to override resolv.conf information only to find out that both NM and network init scripts ignore DNS1, DNS2 and DOMAIN settings.So my question is how do I correctly configure resolv.conf settings that will persistently override dhcp information on a F12 system that has NM removed and uses the network service scripts?
View 3 Replies
View Related
Sep 27, 2010
I have a hardware device with two ethernet ports, eth0 and eth1 running Centos 5. Basically my goal is to forward packets from eth0->eth1 and eth1->eth0 as well as get a copy of these packets for analysis. If I set IP routing to do the forwarding then I won't get a copy of the packets for analysis.
View 3 Replies
View Related
Aug 19, 2010
This is on Ubuntu 10.04 Server Edition. The ethernet cord was disconnected one day. I plugged it back in to find I can ssh to and from that machine, but I cannot update or browse the web (elinks) on it. I tried "ifconfig eth0 up" which did nothing. Why is it that only local connections work?
View 1 Replies
View Related
Mar 28, 2011
I just updated Fedora 14 with the updates it downloaded and I am now stuck with the error.
View 10 Replies
View Related
Jan 15, 2010
I have a ubuntu desktop 9.10 that is used as a file server and occasionally as a desktop. My problem is after about 15 min of idle the server can not be accessed by other computers. I attempted to disable power management but Im not sure if i did that correctly. Where should i look for problems?
View 9 Replies
View Related
Mar 7, 2011
I have two linux servers, I tried to ping from one linux box to another and vice versa but error message is "connect: Network is unreachable" Where as If I tried from windows machine I am getting the reply from both the servers.
C:Documents and Settings>ping bnkprod
Pinging bnkprod.softtech.com [172.20.40.141] with 32 bytes of data:
Reply from 172.20.40.141: bytes=32 time=16ms TTL=64
Reply from 172.20.40.141: bytes=32 time<1ms TTL=64
Reply from 172.20.40.141: bytes=32 time<1ms TTL=64
Reply from 172.20.40.141: bytes=32 time<1ms TTL=64
Ping statistics for 172.20.40.141:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 16ms, Average = 4ms
View 2 Replies
View Related