Re: ethertap/dummy (for mol) in 2.4.x -- working! I think..

Subject: Re: ethertap/dummy (for mol) in 2.4.x -- working! I think..
From: R Shapiro (rshapiro@bbn.com)
Date: Thu Feb 22 2001 - 12:30:27 MST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Kevin Bradley: "Re: grey screen (iMac DV, LinuxPPC Q4)"
• Previous message: Brice Ruth: "grey screen (iMac DV, LinuxPPC Q4)"

phl@leledy.org writes:
> > iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
> >
>
> I'd try
>
> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
> as eth0 is not used but dummy0.

This was not the problem. In fact eth0 *is* where the masquerading
happens, so the original masquerading rule was ok. The problem on my
system turned out to be in forwarding, not masquerading.

The FORWARD policy on my host is set to DROP. I'd already tried
adding an explicit rule to enable this particular forwarding:

 iptables -A FORWARD -s 192.168.1.0/24 -i tap0 -o eth0 -j ACCEPT

But that didn't seem to help, so I gave up.

What finally occured to me just this morning is that I need to
explicitly enable forwarding in *both* directions. Otherwise the
masqueraded packets go out and the responses get back to eth0; but
since they're not successfully forwarded to tap0, MacOS never sees
them. So I added:

 iptables -A FORWARD -d 192.168.1.0/24 -i eth0 -o tap0 -j ACCEPT

And it works! Compare to ipchains, in which a single rule handles
masquerading and both directions of forwarding.

I haven't tried this yet with a dummy driver or a tuntap driver. The
ethertap driver still works ok in 2.4, even though it's officially
tagged as "obsolete", but it won't be enabled in a typical prebuilt
kernels.

I haven't completely convinced myself that I'm not leaking junk
packets from 192.168.1.0/24 onto eth0. Thus the caveat in the Subject
line. I don't think that's happening, but the evidence from tcpdump
is a little puzzling. A subject for another message...

In sum:

  # Use any legitimate lan address you want.
  MOLNET=192.168.1.0/24

  MOLDEV=tap0

  # Allow all traffic on the mol network.
  # You don't need these if the INPUT and OUTPUT policies are ACCEPT.
  iptables -A OUTPUT -o $MOLDEV -s $MOLNET -j ACCEPT
  iptables -A INPUT -i $MOLDEV -d $MOLNET -j ACCEPT
  
  # Enabled forwarded traffic between tap0 and eth0.
  # You may not need these if the FORWARD policy is ACCEPT.
  iptables -A FORWARD -s $MOLNET -i $MOLDEV -o eth0 -j ACCEPT
  iptables -A FORWARD -d $MOLNET -i eth0 -o $MOLDEV -j ACCEPT
  
  # Masquerade all molnet traffic,
  iptables -t nat -A POSTROUTING -s $MOLNET -o eth0 -j MASQUERADE
  # or
  # iptables -t nat -A POSTROUTING -s $MOLNET -o eth0 -j SNAT --to $IPADDR
  # where IPADDR is the linux eth0 address

If the INPUT and OUTPUT policies are ACCEPT, you don't need the first
pair of rules. If the FORWARD policy is ACCEPT, you may not need the
second pair of rules. But if you're on an ethernet and you're not
already behind a firewall, you really should set all the policies to
DROP.

-- 
rshapiro@bbn.com

• Next message: Kevin Bradley: "Re: grey screen (iMac DV, LinuxPPC Q4)"
• Previous message: Brice Ruth: "grey screen (iMac DV, LinuxPPC Q4)"

This archive was generated by hypermail 2a24 : Thu Feb 22 2001 - 12:30:35 MST