[Ninux-Wireless] strano problema policy routig!

Gioacchino Mazzurco gmazzurco89 a gmail.com
Mer 22 Dic 2010 13:07:23 CET 

ciao a  tutti!

ho un problema col policy routing, una delle regole non fa funzioanre
internet sui nodi inspiegabilmente :|

questa e' la tabella di regole del server che fa il masquerading prima di
far uscire i pacchetti su internet

coppermine ~ # ip rule show
0:      from all lookup local
32762:  from all to 10.0.1.0/24 lookup ninux
32763:  from all fwmark 0x5 lookup main
32764:  from 10.180.0.0/27 lookup main
32765:  from 10.180.0.0/15 lookup ninux  <-- REGOLA CHE FA MORIRE INTERNET
32766:  from all lookup main
32767:  from all lookup default


TABELLA MAIN

coppermine ~ # ip route show
10.10.10.0/30 dev eth0  proto kernel  scope link  src 10.10.10.2
10.180.0.0/27 dev eth0  proto kernel  scope link  src 10.180.0.1
10.0.1.0/24 dev ninux  proto kernel  scope link  src 10.0.1.120
10.180.0.0/15 via 10.180.0.2 dev eth0  src 10.180.0.1
127.0.0.0/8 dev lo  scope link
default via 10.10.10.1 dev eth0  src 10.10.10.2

TABELLA NINUX

coppermine ~ # ip route sho table ninux
192.168.193.1 via 10.0.1.6 dev ninux  metric 2
192.168.69.1 via 10.0.1.3 dev ninux  metric 2
192.168.69.9 via 10.0.1.3 dev ninux  metric 2
172.16.177.1 via 10.0.1.3 dev ninux  metric 2
172.16.177.2 via 10.0.1.3 dev ninux  metric 2
192.168.69.22 via 10.0.1.3 dev ninux  metric 2
172.16.177.6 via 10.0.1.3 dev ninux  metric 2
172.16.177.7 via 10.0.1.3 dev ninux  metric 2
172.16.177.8 via 10.0.1.3 dev ninux  metric 2
172.16.177.9 via 10.0.1.3 dev ninux  metric 2
192.168.0.34 via 10.0.1.10 dev ninux  metric 2
192.168.3.2 via 10.0.1.10 dev ninux  metric 2
192.168.66.115 via 10.0.1.22 dev ninux  metric 2
172.16.185.1 via 10.0.1.22 dev ninux  metric 2
192.168.66.110 via 10.0.1.22 dev ninux  metric 2
172.16.184.2 via 10.0.1.22 dev ninux  metric 2
172.16.184.1 via 10.0.1.22 dev ninux  metric 2
10.162.0.6 via 10.0.1.6 dev ninux  metric 2
10.162.0.224 via 10.0.1.6 dev ninux  metric 2
192.168.86.1 via 10.0.1.22 dev ninux  metric 2
10.0.1.51 dev ninux  scope link  metric 2
192.168.86.60 via 10.0.1.22 dev ninux  metric 2
10.0.1.10 dev ninux  scope link  metric 2
10.0.1.6 dev ninux  scope link  metric 2
10.0.1.1 dev ninux  scope link  metric 2
10.0.1.3 dev ninux  scope link  metric 2
10.0.1.22 dev ninux  scope link  metric 2
10.0.1.101 dev ninux  scope link  metric 2
172.16.200.34 via 10.0.1.6 dev ninux  metric 2
172.16.200.33 via 10.0.1.6 dev ninux  metric 2
172.16.40.18 via 10.0.1.10 dev ninux  metric 2
192.168.3.214 via 10.0.1.10 dev ninux  metric 2
172.16.40.14 via 10.0.1.10 dev ninux  metric 2
172.16.40.5 via 10.0.1.10 dev ninux  metric 2
172.16.40.3 via 10.0.1.10 dev ninux  metric 2
192.168.5.48/28 via 10.0.1.10 dev ninux  metric 2
192.168.5.176/28 via 10.0.1.10 dev ninux  metric 2
192.168.193.0/24 via 10.0.1.6 dev ninux  metric 2
192.168.69.0/24 via 10.0.1.3 dev ninux  metric 2
192.168.86.0/24 via 10.0.1.22 dev ninux  metric 2
192.168.70.0/24 via 10.0.1.3 dev ninux  metric 2
192.168.3.0/24 via 10.0.1.10 dev ninux  metric 2
192.168.180.0/24 via 10.0.1.51 dev ninux  metric 2
192.168.0.0/24 via 10.0.1.10 dev ninux  metric 2
10.177.6.0/24 via 10.0.1.3 dev ninux  metric 2
10.177.9.0/24 via 10.0.1.3 dev ninux  metric 2
10.180.0.0/24 dev eth0  scope link
10.184.0.0/24 via 10.0.1.22 dev ninux  metric 2
10.162.0.0/24 via 10.0.1.6 dev ninux  metric 2
10.180.0.0/15 via 10.180.0.2 dev eth0  src 10.180.0.1
10.174.0.0/15 via 10.0.1.101 dev ninux  metric 2
default via 10.0.1.101 dev ninux
default via 10.0.1.3 dev ninux  metric 2

quello che succede attivando la regola che fa morire tutto am che e'
necessaria e' questo,
quando qualcuno dalla rete 10.180.0.0/15 ( escluso 10.180.0.0/27 che
continua ovviamente a funzionare ) cerca di andare in internet i suoi
pacchetti arrivano a coppermine che li maschera e li inoltra, i pacchetti di
risposta arrivano a coppermine, e spariscono... vi attacco un pezzo di
tcpdump e l'output di ip addr show

coppermine ~ # tcpdump -n -i eth0 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:02:26.436066 IP 66.220.151.78.80 > 10.10.10.2.58804: P
1247830349:1247830373(24) ack 2131839083 win 15
13:02:26.436101 IP 66.220.151.78.80 > 10.180.0.9.58804: P
1247830349:1247830373(24) ack 2131839083 win 15
13:02:26.436203 IP 10.180.0.9.58804 > 66.220.151.78.80: . ack 24 win 152
13:02:26.436259 IP 10.10.10.2.58804 > 66.220.151.78.80: . ack 24 win 152
13:02:37.458571 IP 10.180.0.50.39356 > 92.122.212.17.80: S
600551577:600551577(0) win 64240 <mss 1460,sackOK,timestamp 2006263
0,nop,wscale 1>
13:02:49.445509 IP 10.180.0.50.39356 > 92.122.212.17.80: S
600551577:600551577(0) win 64240 <mss 1460,sackOK,timestamp 2007463
0,nop,wscale 1>

come vedete i pacchetti arrivano a 10.10.10.2 ma non escono con la nuova
destinazione :|

coppermine ~ # ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
    link/ether 00:e0:7d:e8:ac:4a brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.2/30 brd 10.10.10.3 scope global eth0
    inet 10.180.0.1/27 brd 10.180.0.31 scope global eth0
    inet6 2001:470:c8f7::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 2001:470:1f12:32d::120/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::2e0:7dff:fee8:ac4a/64 scope link
       valid_lft forever preferred_lft forever
3: tunl0: <NOARP> mtu 1480 qdisc noop state DOWN
    link/ipip 0.0.0.0 brd 0.0.0.0
4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
    link/sit 0.0.0.0 brd 0.0.0.0
5: ip6tnl0: <NOARP> mtu 1460 qdisc noop state DOWN
    link/tunnel6 :: brd ::
6: he0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN

    link/sit 10.10.10.2 peer 216.66.84.42
    inet6 2001:470:1f12:32d::2/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::a0a:a02/128 scope link
       valid_lft forever preferred_lft forever
7: ninux: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1280 qdisc pfifo_fast state
UNKNOWN qlen 500
    link/ether 62:2b:2e:1c:35:37 brd ff:ff:ff:ff:ff:ff
    inet 10.0.1.120/24 brd 10.0.1.255 scope global ninux
    inet6 fe80::602b:2eff:fe1c:3537/64 scope link
       valid_lft forever preferred_lft forever

any hint?
-------------- parte successiva --------------
Un allegato HTML รจ stato rimosso...
URL: <http://ml.ninux.org/pipermail/wireless/attachments/20101222/cf819671/attachment-0001.html>

Maggiori informazioni sulla lista Wireless