Re: [Fwbuilder-discussion] -j ROUTE --OIF option
Brought to you by:
mikehorn
From: denpun <li...@sh...> - 2007-07-19 22:45:07
|
Hi again, looks like the Debian Etch Stock kernel does not support the ROUTE target even though it is compiled into iptables. I recompiled the kernel with the Patch-O-Matic patches and the error disappears. I cannot fully confirmed that the route is working since i have to leave bu= t the error is gone and its accepts the mangle with route target rule. Will fully report tomorrow. Thanks for your help. Vadim Kurland =E2=9C=8E wrote: >=20 >=20 > On Jul 19, 2007, at 7:35 AM, denpun wrote: >=20 >> >> Sorry forgot to tell you about it...last post... >> Yes, the man page for iptables does list the route target and oif =20 >> options. >> Im using Debian Etch with kernel 2.6.18-4 >> >> You think this problem has something to do with >> CONFIG_IP_ROUTE_MULTIPATH_CACHED being enabled in Etch. Do a search on >> google for CONFIG_IP_ROUTE_MULTIPATH_CACHED and debain etch and the =20 >> routing >> problems it has caused. >> Do you think it has something to do with that? >> >=20 > no, I do not think so, option CONFIG_IP_ROUTE_MULTIPATH_CACHED is not =20 > for iptables >=20 > --vk >=20 >> >> Vadim Kurland =E2=9C=8E wrote: >>> >>> >>> On Jul 19, 2007, at 5:45 AM, denpun wrote: >>> >>>> >>>> I am running Debian Etch which is supposedly running a stable >>>> version of >>>> iptables, actually its 1.3.6. >>>> You still think it could be an iptables problem? >>>> >>> >>> what does the man page for iptables say ? Does it list ROUTE target ? >>> If yes, and iptables does not accept this target, then iptables is >>> broken. >>> >>>> While searching the list archives I also found this >>>> http://www.nabble.com/action-route-in-fwbuilder-with-ubuntu-6.10- >>>> tf3553920.html#a9925579 >>>> Do you think its related? >>>> >>> >>> the error message reported there was different, although also related >>> to the ROUTE target. >>> >>> --vk >>> >>>> >>>> Vadim Kurland =E2=9C=8E wrote: >>>>> >>>>> >>>>> On Jul 18, 2007, at 3:50 PM, denpun wrote: >>>>> >>>>>> >>>>>> My rules look like >>>>>> $IPTABLES -N Out_RULE_1 -t mangle >>>>>> $IPTABLES -t mangle -A POSTROUTING -o eth2 -s 10.1.0.0/16 -j >>>>>> Out_RULE_1 >>>>>> $IPTABLES -t mangle -A Out_RULE_1 -j LOG --log-level info --log- >>>>>> prefix >>>>>> "RULE 1 -- ROUTE " >>>>>> #$IPTABLES -t mangle -A Out_RULE_1 -j ROUTE --oif eth3 --gw >>>>>> 200.32.233.81 >>>>>> --continue >>>>>> >>>>>> off the four of them, i comment them out one by one and it looks >>>>>> like it >>>>>> errors out on the last/fourth rule >>>>>> $IPTABLES -t mangle -A Out_RULE_1 -j ROUTE --oif eth3 --gw >>>>>> 200.32.233.81 >>>>>> --continue >>>>>> >>>>>> must i have a special module enable for this to work or something >>>>>> or is it >>>>>> available by default in the kernel. >>>>>> >>>>> >>>>> >>>>> Try "man iptables" on the firewall and see if target ROUTE is =20 >>>>> listed >>>>> and if it has option --oif. If man page says it is there, and >>>>> iptables errors out on this command, this looks like broken =20 >>>>> iptables >>>>> installation. Unfortunately I do not know how this can be fixed, >>>>> short of recompiling iptables. >>>>> >>>>> --vk >>>>> >>>>> >>>>>> Vadim Kurland =E2=9C=8E wrote: >>>>>>> >>>>>>> >>>>>>> On Jul 18, 2007, at 3:40 PM, denpun wrote: >>>>>>> >>>>>>>> >>>>>>>> Sorry..actually i just noticed something..... >>>>>>>> I made one small change to the rule by adding direction.... >>>>>>>> >>>>>>>> $IPTABLES -N Out_RULE_1 -t mangle >>>>>>>> $IPTABLES -t mangle -A POSTROUTING -o eth2 -s 10.1.0.0/16 -j >>>>>>>> Out_RULE_1 >>>>>>>> $IPTABLES -t mangle -A Out_RULE_1 -j LOG --log-level info --=20 >>>>>>>> log- >>>>>>>> prefix >>>>>>>> "RULE 1 -- ROUTE " >>>>>>>> $IPTABLES -t mangle -A Out_RULE_1 -j ROUTE --oif eth3 --=20 >>>>>>>> continue >>>>>>>> >>>>>>>> I get the following error...... >>>>>>>> iptables: No chain/target/match by that name >>>>>>>> i commented out the code and the error goes away.. >>>>>>>> >>>>>>> >>>>>>> which iptables command you get this error for ? >>>>>>> >>>>>>> >>>>>>> >>>>>>>> I also reverted to back what I had..which is what i originally >>>>>>>> had...which >>>>>>>> is what i posted earlier... >>>>>>>> the error is still there... >>>>>>>> >>>>>>>> ---------------------------------------------------------------- >>>>>>>> The rule gets applied fine..without any problems... >>>>>>>> The log reads as follows... >>>>>>>> >>>>>>>> Jul 18 16:29:39 janus kernel: RULE 8 -- ACCEPT IN=3Deth1 OUT=3Deth= 2 >>>>>>>> SRC=3D10.1.200.201 DST=3D64.233.167.99 LEN=3D40 TOS=3D0x00 PREC=3D= 0x00 >>>>>>>> TTL=3D10 >>>>>>>> ID=3D45690 >>>>>>>> PROTO=3DUDP SPT=3D45656 DPT=3D33468 LEN=3D20 >>>>>>>> Jul 18 16:29:39 janus kernel: RULE 1 -- ROUTE IN=3D OUT=3Deth2 >>>>>>>> SRC=3D10.1.200.201 >>>>>>>> DST=3D64.233.167.99 LEN=3D40 TOS=3D0x00 PREC=3D0x00 TTL=3D10 ID=3D= 45690 >>>>>>>> PROTO=3DUDP >>>>>>>> SPT=3D45656 DPT=3D33468 LEN=3D20 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Vadim Kurland =E2=9C=8E wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> On Jul 18, 2007, at 2:57 PM, denpun wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Greetings >>>>>>>>>> I am using FWBUILDER 2.1.8.... >>>>>>>>>> >>>>>>>>>> As per >>>>>>>>>> http://www.nabble.com/Two-wan-interfaces-=20 >>>>>>>>>> tf1933781.html#a5310863 >>>>>>>>>> >>>>>>>>>> I have multiple WAN interfaces and am trying to route all >>>>>>>>>> traffic >>>>>>>>>> form >>>>>>>>>> networks >>>>>>>>>> 10.0.0.0/16 via WAN1 >>>>>>>>>> and 10.1.0.0/16 via WAN2 >>>>>>>>>> and 10.2.0.0/16 via WAN3 and so on >>>>>>>>>> >>>>>>>>>> I went ahead and added a new rule that gets compiled as =20 >>>>>>>>>> follows >>>>>>>>>> >>>>>>>>>> $IPTABLES -N RULE_1 -t mangle >>>>>>>>>> $IPTABLES -t mangle -A POSTROUTING -s 10.1.0.0/16 -j RULE_1 >>>>>>>>>> $IPTABLES -t mangle -A RULE_1 -j LOG --log-level info --log- >>>>>>>>>> prefix "RULE 1 >>>>>>>>>> -- ROUTE " >>>>>>>>>> $IPTABLES -t mangle -A RULE_1 -j ROUTE --oif eth3 --=20 >>>>>>>>>> continue >>>>>>>>>> >>>>>>>>>> Default route on fw machine is via WAN1 which is eth2 >>>>>>>>>> Inspite of the firewall rules, traffic from 10.1.0.0/16 still >>>>>>>>>> gets >>>>>>>>>> routed >>>>>>>>>> via eth2 >>>>>>>>>> Can you please help me.. >>>>>>>>>> do i need to add any other rules? >>>>>>>>> >>>>>>>>> >>>>>>>>> do these rules apply without errors on your firewall ? Do you >>>>>>>>> see any >>>>>>>>> packets in the log (one of these rules logs packets when they >>>>>>>>> match) ? >>>>>>>>> >>>>>>>>> --vk >>>>>>>>> >>>>>>>>> >>>>>>>>> ---------------------------------------------------------------= =20 >>>>>>>>> -- >>>>>>>>> -- >>>>>>>>> -- >>>>>>>>> ---- >>>>>>>>> This SF.net email is sponsored by DB2 Express >>>>>>>>> Download DB2 Express C - the FREE version of DB2 express and =20 >>>>>>>>> take >>>>>>>>> control of your XML. No limits. Just data. Click to get it now. >>>>>>>>> http://sourceforge.net/powerbar/db2/ >>>>>>>>> _______________________________________________ >>>>>>>>> Fwbuilder-discussion mailing list >>>>>>>>> Fwb...@li... >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-=20 >>>>>>>>> discussion >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> --=20 >>>>>>>> View this message in context: http://www.nabble.com/-j-ROUTE--- >>>>>>>> OIF- >>>>>>>> option-tf4106785.html#a11679001 >>>>>>>> Sent from the fwbuilder-discussion mailing list archive at >>>>>>>> Nabble.com. >>>>>>>> >>>>>>>> >>>>>>>> ----------------------------------------------------------------= =20 >>>>>>>> -- >>>>>>>> -- >>>>>>>> -- >>>>>>>> --- >>>>>>>> This SF.net email is sponsored by DB2 Express >>>>>>>> Download DB2 Express C - the FREE version of DB2 express and =20 >>>>>>>> take >>>>>>>> control of your XML. No limits. Just data. Click to get it now. >>>>>>>> http://sourceforge.net/powerbar/db2/ >>>>>>>> _______________________________________________ >>>>>>>> Fwbuilder-discussion mailing list >>>>>>>> Fwb...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-=20 >>>>>>>> discussion >>>>>>> >>>>>>> >>>>>>> -----------------------------------------------------------------= =20 >>>>>>> -- >>>>>>> -- >>>>>>> ---- >>>>>>> This SF.net email is sponsored by DB2 Express >>>>>>> Download DB2 Express C - the FREE version of DB2 express and take >>>>>>> control of your XML. No limits. Just data. Click to get it now. >>>>>>> http://sourceforge.net/powerbar/db2/ >>>>>>> _______________________________________________ >>>>>>> Fwbuilder-discussion mailing list >>>>>>> Fwb...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >>>>>>> >>>>>>> >>>>>> >>>>>> --=20 >>>>>> View this message in context: http://www.nabble.com/-j-ROUTE---=20 >>>>>> OIF- >>>>>> option-tf4106785.html#a11679237 >>>>>> Sent from the fwbuilder-discussion mailing list archive at >>>>>> Nabble.com. >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------= =20 >>>>>> -- >>>>>> -- >>>>>> --- >>>>>> This SF.net email is sponsored by DB2 Express >>>>>> Download DB2 Express C - the FREE version of DB2 express and take >>>>>> control of your XML. No limits. Just data. Click to get it now. >>>>>> http://sourceforge.net/powerbar/db2/ >>>>>> _______________________________________________ >>>>>> Fwbuilder-discussion mailing list >>>>>> Fwb...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >>>>> >>>>> >>>>> -------------------------------------------------------------------= =20 >>>>> -- >>>>> ---- >>>>> This SF.net email is sponsored by DB2 Express >>>>> Download DB2 Express C - the FREE version of DB2 express and take >>>>> control of your XML. No limits. Just data. Click to get it now. >>>>> http://sourceforge.net/powerbar/db2/ >>>>> _______________________________________________ >>>>> Fwbuilder-discussion mailing list >>>>> Fwb...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >>>>> >>>>> >>>> >>>> --=20 >>>> View this message in context: http://www.nabble.com/-j-ROUTE---OIF- >>>> option-tf4106785.html#a11688210 >>>> Sent from the fwbuilder-discussion mailing list archive at =20 >>>> Nabble.com. >>>> >>>> >>>> --------------------------------------------------------------------= =20 >>>> -- >>>> --- >>>> This SF.net email is sponsored by DB2 Express >>>> Download DB2 Express C - the FREE version of DB2 express and take >>>> control of your XML. No limits. Just data. Click to get it now. >>>> http://sourceforge.net/powerbar/db2/ >>>> _______________________________________________ >>>> Fwbuilder-discussion mailing list >>>> Fwb...@li... >>>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >>> >>> >>> ---------------------------------------------------------------------= =20 >>> ---- >>> This SF.net email is sponsored by DB2 Express >>> Download DB2 Express C - the FREE version of DB2 express and take >>> control of your XML. No limits. Just data. Click to get it now. >>> http://sourceforge.net/powerbar/db2/ >>> _______________________________________________ >>> Fwbuilder-discussion mailing list >>> Fwb...@li... >>> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >>> >>> >> >> --=20 >> View this message in context: http://www.nabble.com/-j-ROUTE---OIF-=20 >> option-tf4106785.html#a11690510 >> Sent from the fwbuilder-discussion mailing list archive at Nabble.com. >> >> >> ----------------------------------------------------------------------= =20 >> --- >> This SF.net email is sponsored by: Microsoft >> Defy all challenges. Microsoft Visual Studio 2005. >> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >> _______________________________________________ >> Fwbuilder-discussion mailing list >> Fwb...@li... >> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >=20 >=20 > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion >=20 >=20 --=20 View this message in context: http://www.nabble.com/-j-ROUTE---OIF-option-t= f4106785.html#a11699229 Sent from the fwbuilder-discussion mailing list archive at Nabble.com. |