[CentOS] making a route sticky
Aleksandar Milivojevic
alex at milivojevic.org
Fri Aug 5 20:51:35 UTC 2005
Quoting Les Mikesell <lesmikesell at gmail.com>:
> On Fri, 2005-08-05 at 14:59, Aleksandar Milivojevic wrote:
>
>> > This should give you an interface that looks real enough to run zebra
>> > with rip or ospf and at least in theory it should work the same with
>> > a cisco at the other end.
>>
>> I've just ran into one interesting problem with this approach. Seems that
>> Netfilter is getting confused or something... Or at least I wasn't
>> been able
>> to make an usable config.
>
> Does ifconfig show the GRE tunnel as a PTP interface or something with
> a reasonable netmask? If something is trying to figure out how to
> access it, you might want to make it look like a 4-host subnet
> (netmask 255.255.255.252) using the 2 usable addresses for the
> endpoints.
It showes up as PtP interface to itself (!?). Strange, but seems to
work. Well, at least as long as I don't have Netfilter enabled.
Basically, I configured GRE tunnel like this:
# ip tunnel add neta mode gre remote 1.2.3.4 local 4.3.2.1 ttl 255
# ip link set neta up
# ip addr add 10.0.0.2 dev neta
# ip route add 10.1.2.0/24 dev neta src 10.2.1.1
Anyhow, I'm still into debugging Netfilter stuff, and came across this strange
story of single ICMP echo/reply path through Netfilter's chains and tables:
mangle prerouting eth0 1.2.3.4 -> 4.3.2.1 ESP
nat prerouting eth0 1.2.3.4 -> 4.3.2.1 ESP
mangle input eth0 1.2.3.4 -> 4.3.2.1 ESP
filter input eth0 1.2.3.4 -> 4.3.2.1 ESP
mangle prerouting neta 10.1.2.1 -> 10.2.1.1 ICMP
nat prerouting neta 10.1.2.1 -> 10.2.1.1 ICMP
mangle input neta 10.1.2.1 -> 10.2.1.1 ICMP
filter input neta 10.1.2.1 -> 10.2.1.1 ICMP
So on incomming packet, I never see GRE. A bit different story on output
packet:
mangle output neta 10.2.1.1 -> 10.1.2.1 ICMP
filter output neta 10.2.1.1 -> 10.1.2.1 ICMP
mangle postrouting neta 10.2.1.1 -> 10.1.2.1 ICMP
mangle output eth0 4.3.2.1 -> 1.2.3.4 GRE
nat output eth0 4.3.2.1 -> 1.2.3.4 GRE
filter output eth0 4.3.2.1 -> 1.2.3.4 GRE
mangle postrouting eth0 4.3.2.1 -> 1.2.3.4 ESP
nat postrouting eth0 4.3.3.1 -> 1.2.3.4 ESP
This might be the reason why I'm experiencing problems with connection
tracking
(various chains being skipped at some encapsulation levels). But I'm still in
the middle of debugging this thing.... Will keep group posted.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the CentOS
mailing list