Re: A weird routing question.
- From: none <""testr\"@(none)">
- Date: Fri, 28 Sep 2007 21:04:53 +0200
Pascal Hambourg wrote:
Hello,
Ken Sims a écrit :
On Thu, 27 Sep 2007 19:36:35 +0200, none <""testr\"@(none)"> wrote:
On a linux box 'A' which has interfaces eth0, eth1, eth2, eth3, I would
like to do a special treatment on packets incoming via eth0 and whose
source is <some-network>.
I would like these packets be unconditionaly redirected unmodified for
output via interface eth1.
That is:
- even if they were targeted (destination IP) at my box 'A', they will
be re-emitted through eth1.
- even if they would have been forwarded through eth2 or eth3, they
will be re-emitted through eth1 too.
If they would be forwarded anyway, advanced routing can be used to
force them out a specific interface.
Yes.
For packets whose destination is 'A', I think you would need to do
something with netfilter to get the packets on to the forwarding
chain, but I don't know how without changing the destination IP
address.
I feared that exact same thing: AFAIK choosing an output interface
implied doing some kind of DNAT.
The highly controversial ROUTE target, which allows to override the
routing decision, may help :
This option adds a `ROUTE' target, which enables you to setup unusual
routes. For example, the ROUTE lets you route a received packet through
an interface or towards a host, even if the regular destination of the
packet is the router itself.
I'had never heard of the ROUTE target. I thank you for having pinpoint that.
Anyone here can easily understand why such a target is controversial: it
reverts the stages in packets processing because we usually infer the
appropriate route from the expected destination IP. Furthermore, to set
up a specific routing policy for some traffic that hit a particular
input interface hurts our mind a bit.
It's even more strange when we consider my case because it bring us four
questions:
- 1) Why would someone 'reflect'-out some ingoing traffic targeted at
its workstation?
- 2) Will these packets eventually reach the expected target. (Answer:
YES, though through traffic shaping or accountancy on some other host
for example)
- 3) Will these packets be MANGLED on their way (i.e. using some kind
of NAT) or just be re-transmitted unaltered? (Tied with question 4)
- 4) What becomes of reply packets?
For question 3, I think transmitting packets unaltered allows me to
avoid having some other host on the network: NAT, thus mangling, would
imply forward to a well known router IP.
For question 4, I fear transmitting packets unaltered will imply
different routes for both directions of udp/tcp flows, which would cause
trouble if host 'A' serves as a gateway for some other network,
especially regarding FTP and internet telephony which involve special
connection tracking and NAT mechanisms. Achieving my goal with NAT, and
thus with the aid of some other host (router) B, would be a better
approach then.
Any comments are welcome.
Sincerely,
Le Testeur
.
- References:
- A weird routing question.
- From: none
- Re: A weird routing question.
- From: Ken Sims
- Re: A weird routing question.
- From: Pascal Hambourg
- A weird routing question.
- Prev by Date: Re: IPTables not forwarding from public to private subnet.
- Next by Date: Re: A weird routing question.
- Previous by thread: Re: A weird routing question.
- Next by thread: Re: A weird routing question.
- Index(es):
Relevant Pages
|
