Martian source... Need to have route to other networks via internal interface. What to do?
Hi! I have SLES9 and two interfaces eth0 & eth1. eth0 has real ip address like 217.x.x.x eth1 has local ip address 192.168.0.1/24 Default gateway on this system belongs to real ip address network 217.x.x.x via eth0. eth0 is described as External inteface in suse firewall. eth1 is described as Internal one. No NAT etc. Kernel security is on. LAN has several nets like 192.168.x.0/24. Accessing net like 192.168.1.0/24 i got 'martian source' kernel message. I tried to make route to 192.168.1.0/24 via 192.168.0.254 but still have same error log. Where to dig? I dont want to create aliases for each network (it works but too ugly). Is possible the pretty solution for me? Next, what you recommend as linux implementation of Cosco's EIGRP? Ciscos use EiGRP to keep routes between them using 192.168.0.254/24 net. Sergei Keler General DataComm IT-manager tel.: +7(812)325-1085 fax: +7(812)325-1086
Sergei Keler wrote:
Next, what you recommend as linux implementation of Cosco's EIGRP? Ciscos use EiGRP to keep routes between them using 192.168.0.254/24 net.
1. EIGRP is proprietary to Cisco, and only runs on Cisco gear. 2. There is nothing in EIGRP that "keep routes between them using 192.168.0.254/24 net". For a simplified explanation of EIGRP: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr... or my website: http://www.911networks.com The complete documentation for EIGRP is in the command reference. Martians are used to create denials of service, since they cannot be routed through the Internet, therefore you cannot reply [Internet side] to a request from a martian address. Martians are dealt at the firewall through either access-list or on Cisco routers by issuing: ip verify unicast reverse-path on the outside interface, which verifies that this an address that the router can reach. -- Thanks http://www.911networks.com When the network has to work Cisco/Microsoft
Hi*, anyway there will never be a net 192.168.0.254/24. Syv Ritch wrote:
Sergei Keler wrote:
Next, what you recommend as linux implementation of Cosco's EIGRP? Ciscos use EiGRP to keep routes between them using 192.168.0.254/24 net.
1. EIGRP is proprietary to Cisco, and only runs on Cisco gear. 2. There is nothing in EIGRP that "keep routes between them using 192.168.0.254/24 net". For a simplified explanation of EIGRP: [...]
Dirk TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl-------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: suse@911networks.com, skiller@gdc.ru, suse-security@suse.com # Dateianhänge: 0
192.168.0.254 is a legitimate RFC1918 address. Its not publicly routable but its fine to use behind a proxy or NAT gateway in a private network. On Tue, 22 Nov 2005, Dirk Schreiner wrote:
Hi*,
anyway there will never be a net 192.168.0.254/24.
Syv Ritch wrote:
Sergei Keler wrote:
Next, what you recommend as linux implementation of Cosco's EIGRP? Ciscos use EiGRP to keep routes between them using 192.168.0.254/24 net.
1. EIGRP is proprietary to Cisco, and only runs on Cisco gear. 2. There is nothing in EIGRP that "keep routes between them using 192.168.0.254/24 net". For a simplified explanation of EIGRP: [...]
Dirk
TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de
Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl-------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: suse@911networks.com, skiller@gdc.ru, suse-security@suse.com # Dateianhänge: 0
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Yes. Thats right. But.. 217.x.x.y Internet --- [ cisco router ] -----------------+ eth0 217.x.x.x |192.168.0.254 [linux box] [switch] --------------------+ eth1 192.168.0.1/24 | Several LANs including 192.168.1.0/24 for example... Linux box dont need to route outside LAN. It must use specified GW for route other LAN networks. If I use YAST to add rotes it works strange. Manual adding route like: route add -net 192.168.1.0/24 gw 192.168.0.254 works! [censored]! Still [censored] with yast and its environment to keep reached configuration :-) Next step will be adding dynamic routing driven by cisco :-( Sergei Keler General DataComm IT-manager tel.: +7(812)325-1085 fax: +7(812)325-1086 On 22.11.2005, at 17:38, Dana Hudes wrote:
192.168.0.254 is a legitimate RFC1918 address. Its not publicly routable but its fine to use behind a proxy or NAT gateway in a private network.
On Tue, 22 Nov 2005, Dirk Schreiner wrote:
Hi*,
anyway there will never be a net 192.168.0.254/24.
Syv Ritch wrote:
Sergei Keler wrote:
Next, what you recommend as linux implementation of Cosco's EIGRP? Ciscos use EiGRP to keep routes between them using 192.168.0.254/24 net.
1. EIGRP is proprietary to Cisco, and only runs on Cisco gear. 2. There is nothing in EIGRP that "keep routes between them using 192.168.0.254/24 net". For a simplified explanation of EIGRP: [...]
Dirk
TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de
Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl-------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: suse@911networks.com, skiller@gdc.ru, suse- security@suse.com # Dateianhänge: 0
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Your linux box can't send packets outside the LAN unless you use NAT on the router since your diagram does not include a proxy (cisco can NAT but it isn't a proxy). EIGRP is not going to work on a Linux system it is proprietary. Futhermore the Linux system is a host. It is not supposed to run dynamic routing protocol. The Cisco router is supposed to have routes for all your other subnets -- interface routes not dynamic ones. This can be from subinterfaces or physical ones. The linux host gets 1 static route: default , with gw 192.168.0.254 Send packets to router let it do its job. Don't go running zebra and stuff on linux unless you want it to be a router. that only makes sense for more sophisticated situaitons where the cost of a cisco interface is much more expensive than a PC. Also remember that a cisco router WILL forward packets MUCH faster than a PC. It has special hardware inside for this purpose. On Tue, 22 Nov 2005, Sergei Keler wrote:
Yes. Thats right.
But.. 217.x.x.y Internet --- [ cisco router ] -----------------+ eth0 217.x.x.x |192.168.0.254 [linux box] [switch] --------------------+ eth1 192.168.0.1/24 | Several LANs including 192.168.1.0/24 for example...
Linux box dont need to route outside LAN. It must use specified GW for route other LAN networks. If I use YAST to add rotes it works strange. Manual adding route like: route add -net 192.168.1.0/24 gw 192.168.0.254 works! [censored]! Still [censored] with yast and its environment to keep reached configuration :-)
Next step will be adding dynamic routing driven by cisco :-(
Sergei Keler General DataComm IT-manager tel.: +7(812)325-1085 fax: +7(812)325-1086
On 22.11.2005, at 17:38, Dana Hudes wrote:
192.168.0.254 is a legitimate RFC1918 address. Its not publicly routable but its fine to use behind a proxy or NAT gateway in a private network.
On Tue, 22 Nov 2005, Dirk Schreiner wrote:
Hi*,
anyway there will never be a net 192.168.0.254/24.
Syv Ritch wrote:
Sergei Keler wrote:
Next, what you recommend as linux implementation of Cosco's EIGRP? Ciscos use EiGRP to keep routes between them using 192.168.0.254/24 net.
1. EIGRP is proprietary to Cisco, and only runs on Cisco gear. 2. There is nothing in EIGRP that "keep routes between them using 192.168.0.254/24 net". For a simplified explanation of EIGRP: [...]
Dirk
TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de
Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl-------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: suse@911networks.com, skiller@gdc.ru, suse- security@suse.com # Dateianhänge: 0
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi! I cant use aliases. Too much networks and too often changes... It works with zebra: # sh ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, B - BGP, > - selected route, * - FIB route S 0.0.0.0/0 [1/0] via 217.195.78.46, eth1 K>* 0.0.0.0/0 via 217.195.78.46, eth1 K * 127.0.0.0/8 is directly connected, lo C>* 127.0.0.0/8 is directly connected, lo0 C>* 192.168.0.0/24 is directly connected, eth0 S 192.168.1.0/25 [1/0] via 192.168.0.254, eth0 S>* 192.168.254.0/24 [1/0] via 192.168.0.254, eth0 C>* 217.195.78.32/28 is directly connected, eth1 And packets from 192.168.1.0/24 now can reach this computer... Heh.. Now I trying to up ospf between ciscos and linuxes... This computer is not a router but need to have routes to other network not through default gw. Net information is not so static to keep routes manually... Hehhh... 7 linuses and 9 ciscos... :-| So, EIGRP is much faster then OSPF I choose for linux. I hope I can use EIGRP between ciscos and OSPF between linuxes and one cisco 'main router'. Sergei Keler General DataComm IT-manager tel.: +7(812)325-1085 fax: +7(812)325-1086 On 22.11.2005, at 18:24, Dana Hudes wrote:
Your linux box can't send packets outside the LAN unless you use NAT on the router since your diagram does not include a proxy (cisco can NAT but it isn't a proxy).
EIGRP is not going to work on a Linux system it is proprietary. Futhermore the Linux system is a host. It is not supposed to run dynamic routing protocol. The Cisco router is supposed to have routes for all your other subnets -- interface routes not dynamic ones. This can be from subinterfaces or physical ones.
The linux host gets 1 static route: default , with gw 192.168.0.254
I cant do it. I need default gw to real address :-(
Send packets to router let it do its job. Don't go running zebra and stuff on linux unless you want it to be a router. that only makes sense for more sophisticated situaitons where the cost of a cisco interface is much more expensive than a PC. Also remember that a cisco router WILL forward packets MUCH faster than a PC. It has special hardware inside for this purpose.
On Tue, 22 Nov 2005, Sergei Keler wrote:
Yes. Thats right.
But.. 217.x.x.y Internet --- [ cisco router ] -----------------+ eth0 217.x.x.x |192.168.0.254 [linux box] [switch] --------------------+ eth1 192.168.0.1/24 | Several LANs including 192.168.1.0/24 for example...
Linux box dont need to route outside LAN. It must use specified GW for route other LAN networks. If I use YAST to add rotes it works strange. Manual adding route like: route add -net 192.168.1.0/24 gw 192.168.0.254 works! [censored]! Still [censored] with yast and its environment to keep reached configuration :-)
Next step will be adding dynamic routing driven by cisco :-(
Sergei Keler General DataComm IT-manager tel.: +7(812)325-1085 fax: +7(812)325-1086
On 22.11.2005, at 17:38, Dana Hudes wrote:
192.168.0.254 is a legitimate RFC1918 address. Its not publicly routable but its fine to use behind a proxy or NAT gateway in a private network.
On Tue, 22 Nov 2005, Dirk Schreiner wrote:
Hi*,
anyway there will never be a net 192.168.0.254/24.
Syv Ritch wrote:
Sergei Keler wrote:
Next, what you recommend as linux implementation of Cosco's EIGRP? Ciscos use EiGRP to keep routes between them using 192.168.0.254/24 net.
1. EIGRP is proprietary to Cisco, and only runs on Cisco gear. 2. There is nothing in EIGRP that "keep routes between them using 192.168.0.254/24 net". For a simplified explanation of EIGRP: [...]
Dirk
TRIA IT-consulting GmbH Joseph-Wild-Straц÷e 20 81829 Mц╪nchen Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de
Registergericht Mц╪nchen HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschц╓ftsfц╪hrer: Richard Hofbauer kaufm. Geschц╓ftsleitung: Rosa Igl-------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: suse@911networks.com, skiller@gdc.ru, suse- security@suse.com # Dateianhц╓nge: 0
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Sergei Keler wrote:
Hi!
I have SLES9 and two interfaces eth0 & eth1. eth0 has real ip address like 217.x.x.x eth1 has local ip address 192.168.0.1/24 Default gateway on this system belongs to real ip address network 217.x.x.x via eth0. eth0 is described as External inteface in suse firewall. eth1 is described as Internal one. No NAT etc. Kernel security is on. LAN has several nets like 192.168.x.0/24.
Accessing net like 192.168.1.0/24 i got 'martian source' kernel message. I tried to make route to 192.168.1.0/24 via 192.168.0.254 but still have same error log. Where to dig? I dont want to create aliases for each network (it works but too ugly). Is possible the pretty solution for me?
Linux have multiple routing tables, so you can have multiple default gateways. For example you can do: ip rule add to 192.168.0.0/16 table 100 ip route add table 100 via 192.168.0.254 dev eth1 See ip rule help, ip route help or read http://lartc.org/howto/ Muralito.
Thanks a lot! Nice solution... Sergei Keler General DataComm IT-manager tel.: +7(812)325-1085 fax: +7(812)325-1086 On 24.11.2005, at 3:24, Muralito wrote:
Sergei Keler wrote:
Hi! I have SLES9 and two interfaces eth0 & eth1. eth0 has real ip address like 217.x.x.x eth1 has local ip address 192.168.0.1/24 Default gateway on this system belongs to real ip address network 217.x.x.x via eth0. eth0 is described as External inteface in suse firewall. eth1 is described as Internal one. No NAT etc. Kernel security is on. LAN has several nets like 192.168.x.0/24. Accessing net like 192.168.1.0/24 i got 'martian source' kernel message. I tried to make route to 192.168.1.0/24 via 192.168.0.254 but still have same error log. Where to dig? I dont want to create aliases for each network (it works but too ugly). Is possible the pretty solution for me?
Linux have multiple routing tables, so you can have multiple default gateways. For example you can do: ip rule add to 192.168.0.0/16 table 100 ip route add table 100 via 192.168.0.254 dev eth1
See ip rule help, ip route help or read http://lartc.org/howto/
Muralito.
participants (5)
-
Dana Hudes
-
Dirk Schreiner
-
Muralito
-
Sergei Keler
-
Syv Ritch