IPChains, and Policy Routing

dharmu@nsecure.net dharmu@nsecure.net
Wed, 15 Aug 2001 23:11:02 +0530 (IST) 

I thinh when you are booting 2.2.XX the output of this 
cat /proc/sys/net/ipv4/ip_forward gives 1
And while booting 2.4.X the output of the same may be 0
If it is so make it 1 and try with the iptables with appropriate rule
sets. If you dont know how to build the rule sets download some scripts
adn change the corresponding entries.
Regards
Dharmu
 > Message: 1
> Date: Tue, 14 Aug 2001 12:49:12 -0400
> From: "Michael H. Warfield" <mhw@wittsend.com>
> To: netfilter@lists.samba.org
> Cc: mhw@wittsend.com
> Subject: IPChains, FWMark, and Policy Routing...
> 
> Hello all...
> 
> 	I've been beating this problem every which way and finally have to
> ask for some help...
> 
> 	Here is my problem.
> 
> 	I'm working on transitioning my firewall to 2.4.x (currently trying
> to work with 2.4.8).  For a variety of reasons, I need to maintain some
> backward compatibility to 2.2.19, at least for a short while.  Basically
> I need to be able to dual boot back to 2.2.19 while diagnosing OTHER
> problems associated with VPNs and device drivers (I'm the kernel maintainer
> for the serial port driver).  Consequently, I have to stick with the
> ipchains module, at least for the short term or have to have two sets
> of firewall rules (one for IPChains and one for netfilter) and keep them
> in sync.
> 
> 	The system has multiple ISDN lines, plus several ethernet
> interfaces, including one that is a broadband interface.  One of the
> ISDN lines is the default route to the internet and serves to route
> a large block of fixed addresses to my site for research purposes.
> 
> 	One of the things I have been doing with policy routing is
> to masquerade certain services (http, dns, ntp) and certain entire
> systems inside the firewall over to the broadband interface and out the
> nice fat (unreliable, single dynamic address) pipe while reserving my
> more limited (reliable, multiple static addresses) ISDN lines and
> static addresses for less bandwidth intensive uses.
> 
> 	So...  This works under 2.2.19.  I use IPChains to mark the packet
> with a firewall mark and masquerade it and I use ip policy routing to
> ship it out through the broadband interface on eth0.
> 
> 	Here are some specific examples (http specifically) from my scripts:
> 
> 	In my ipchains startup:
> 
> 	ipchains -A pol_inp -s 130.205.0.0/20 -d 0/0 80 -p 6 -j MASQ -m 5
> 	ipchains -A pol_fwd -s 130.205.0.0/20 -d 0/0 80 -p 6 -j MASQ -m 5
> 
> 	pol_inp is linked to the input chain and pol_fwd is linked on the
> forward chain.  Yes, I realized that having both the "-J MASQ" and "-m 5"
> on both rules is unnecessary, but that doesn't seem to be the source of the
> problem (later) with 2.4.8 and doesn't seem to break anything obvious.
> 
> 	The following is performed by dhcpcd when he gets a lease and an
> address from the broadband...
> 
> 	ip route add default via $GATEWAY table 4
> 	ip rule add from $IPADDR table 4
> 	ip rule add prio 300 from 130.205.0.0/20 fwmark 5 table 4 nat $IPADDR
> 	ip route flush cache
> 
> 	IPADDR is the address of the broadband interface and GATEWAY is
> the next hop gateway out through that address.
> 
> 	Now...  This all works like a charm on 2.2.19.  It even works
> perfect when dhcpcd gets told to change the interface address (I left
> off the commands that clean up the old entries before adding the
> new entries - accept that it is there and it works).
> 
> 	Now...  This doesn't work with 2.4.8 and the ipchains module.
> Instead of being MASQed out the broadband interface, it is MASQed but
> out the ISDN interface and out the PPP default route instead.  It's almost
> as if the firewall mark was either not being set in the ipchains module
> properly or not being recognized in the policy routing.
> 
> 	Before anyone chimes in about past messages...  I've been over the
> related messages in the past.  Most of them refer to iptables and I've
> checked over the advice in them.  Yes, I've checked (and set) ALL of the
> rp_filter entries in /proc to 0.
> 
> 	I really would like to avoid having two sets of firewall rules
> during a transitional time.  Assuming (and from other messages on this
> list, I think it's a very safe assumption) that this is working with
> iptables, does anyone know why it isn't working with ipchains or how
> to get it working with the ipchains module in netfilter?
> 
> 	TIA!
> 
> 	Mike
>