[CentOS] making a route sticky
Aleksandar Milivojevic
alex at milivojevic.org
Tue Aug 9 16:47:07 UTC 2005
Quoting Les Mikesell <lesmikesell at gmail.com>:
> Does 'established' make any sense for anything but tcp?
Yes, it does.
For UDP packets, it means firewall already saw a matching packet (in either
direction). There's one thing to watch out, there's timeout for how long
kernel keeps UDP connection tracking tables, so if "connection" (I know it's
not a connection, but for a lack of better word) is idle for a bit
longer time,
the next packet will go to "new" state. However, for some protocols it
is still
usefull (for example DNS queries).
ICMP mostly goes to "related" state. The ICMP ping reply goes to established.
Anyhow, back to the original problem.
There's a bug in kernel (Netfilter). Well, there's several related to
the same
issue. If IPSec is in transport mode, the packets will go through Netfilter
tables only once (as encrypted ESP packet). That's why ICMP ping reply was in
new state. Netfilter never saw ICMP ping request (it only saw encrypted ESP
packet).
The workaround is to configure IPSec in tunnel mode, but instead of
using local
network addresses for the policy, use external IP address of VPN
gateway. This
effectively gives same functionality as transport mode.
According to Netfilter developers, the bug is really hard to solve, and they
were working on it for a very long time. Even in tunnel mode incomming
packets
are going through Netfilter tables only once, but this time same chains are
propageted with encrypted packet, and some chains with decrypted
packet. So it
is kind of usable, unless you want to do some fancy NATing. There were some
proposed patches, but they were not good enough to be included into mainstream
kernel, and were finally abandoned.
Thanks for the hint to check out GRE. It works great (now that I'm aware of
Netfilter's bug, and the ways to work around it). Now I have
interfaces that I
can route to, and even writing Netfilter firewall rules is much simpler
than by
using IPSec's tunneling. And I don't have to worry if my ADSL link goes down
and up.
Hopefully it can also work between Linux and Cisco routers (can't test it out,
none of my Cisco routers came with IPSec functionality enabled).
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the CentOS
mailing list