On 12/16/2009 04:12 PM, Moby wrote:
On 12/16/2009 09:20 AM, Alexander R wrote:
2009/12/16 Moby <moby@mobsternet.com>:
The setup involved in this issue was working perfectly fine with oss 10.X and 11.1. The problem arose after an in-place upgrade to oss 11.2.
Basically the machine (call it machine A with internal IP address 192.168.10.10) is configured to do masquerade via iptables (with a custom script). The relevant line is:
$IPTABLES -t mangle -A PREROUTING -m iprange --src-range 192.168.10.50-192.168.10.200 -j MARK --set-mark 2 $IPTABLES -t mangle -A FORWARD -m iprange --src-range 192.168.10.50-192.168.10.200 -j MARK --set-mark 2 $IPTABLES -t nat -A POSTROUTING -m mark --mark 2 -o comcast1 -j MASQUERADE
Once this is in place, initiating (for example) ping www.yahoo.com from a machine with ip address 192.168.10.52 shows that traffic is making it's way to machine A on A's internal interface, then the traffic is getting "masqueraded" (packets source ip gets changed to the valid public address of machine A) and sent out the interface called comcast1, reply comes back from www.yahoo.com and enters machine A properly on interface comcast1 and that's it ... the packet never gets mapped back to the inside host that sent it. I see this sequence of events in a packet capture btw (Wireshark with capture on pseudo-interface to capture all interfaces).
This exact same script worked fine with oss11.1 and earlier versions - is anyone here aware of any changes in oss11.2 that could prevent something like this from working?
Thanks in advance for any help,
-- --Moby
What you see in your /var/log/firewall? (check "yast2 firewall" that "Log critical packets"... is enabled).
After much more googling and oogling, it appears that I am running into a 2.6.31 kernel bug as described at http://www.linuxforums.org/forum/linux-security/155418-2-6-31-iptables-ignor... and http://bugs.gentoo.org/show_bug.cgi?id=295934 So it appears the issue is not so much with masquerade as with fwmark based routing. I plan on running more diagnostics when I am physically at the machine and will post the results.
The issue is resolved. The problem was indeed with policy based routing (marking packets with iptables, then using ip rule to send differently marked packets through different routing tables). Apparently the role or interpretation of /proc/sys/net/ipv4/conf/x/rp_filter file (where x=all, default, or any interface name) has changed in a rather significant way in kernels 2.6.31 and higher. Echoing a 0 into this said file resolved the issue. Thanks to everyone for their help. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org