|
[SOLVED] static route for iptables NAT and tun/tap device
So there isn't much info out there related to what I am trying to do.
The basic idea is that I setup iptables for a NAT between eth0 (wired, internal side of NAT) and tun0 (virtual, external side of NAT). Then I take the packets from tun0 and encapsulated them and send them out ath0 (wireless) much like a vpn tunnel. This basic idea works in some situations...namely as long as all the interfaces are on different networks. The problem I have is that the current setup requires that my tun0 be part of the same subnet as the machine that I am receiving all my return traffic from, i.e., the machine ath0 is connected to. After much digging I have found that the kernel just isn't properly routing the packets back to ath0. I am really confused because I see packets in wireshark when I am capturing on the ath0 dev but my code never receives any of these packets, even though the packets have clearly the same destination IP address as that of my ath0. However if I tear down the NAT and the routes corresponding to tun0 my code receives all the packets. The only thing I can figure is that the kernel is getting confused since the packet is sourced from an IP on the same subnet as the tun0 device. Is there a reason why the kernel wouldn't route the packet even though the destination IP address is that of ath0? Is there any good documentation on when/how the kernel exactly makes it's routing decisions and if the kernel tries to optimize route how it is doing that? The routing table when using the NAT is the following: Code:
Destination Gateway Genmask Flags Ifaceand the packets that don't get routed are dest_ip=w.x.y.z and source_ip=a.b.c.e And the setup is like: internal network ---> eth1 -> NAT -> tun0 ------> ath0 ----> Internet Thanks |
So I got a copy of "Understanding Linux Network Internals" and after digging through that for awhile came across something I didn't know.
There is something called Reverse Path Filtering that will drop any packet whose source IP address is not reachable through the device the packet was received from, according to the routing table. Which was happening in my case since the tun0 device was the same subnet as the source address of packets received on ath0. To turn it off: Code:
echo 0 > /proc/sys/net/ipv4/conf/ath0/rp_filter |
Hi
I am having similar problem seems you can help me to way out I have created virtual interface tap0 Situation described as below I have eth0 interface which has internet i.e ping -I eth0 google.com PING google.com (103.12.179.230) from 192.168.30.34 eth0: 56(84) bytes of data. 64 bytes from cache.google.com (103.12.179.230): icmp_req=1 ttl=53 time=6.54 ms virtual interface (tap1 )created on Ubuntu 12.04.2 LTS as follows:- tunctl -u root Set 'tap0' persistent and owned by 'someuser' Then, configure the interface as normal: # ifconfig tap0 192.168.0.254 up # route add -host 192.168.0.253 dev tap0 # bash -c 'echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp' # arp -Ds 192.168.0.253 eth0 pub Nat command executed as follows:- iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface tap0 -j ACCEPT root@ubuntu:~# ping -I tap1 google.com PING google.com (103.12.179.241) from 192.168.0.254 tap1: 56(84) bytes of data. From 192.168.0.254 icmp_seq=1 Destination Host Unreachable From 192.168.0.254 icmp_seq=2 Destination Host Unreachable From 192.168.0.254 icmp_seq=3 Destination Host Unreachable ^ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.0.254 0.0.0.0 UG 0 0 0 tap1 0.0.0.0 192.168.30.254 0.0.0.0 UG 100 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap1 192.168.0.253 0.0.0.0 255.255.255.255 UH 0 0 0 tap1 192.168.30.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 Internal network -> tap0 -> eth0 -> Internet Please advise! |
| All times are GMT -5. The time now is 05:06 AM. |