Hi folks. I am trying to set up a regression test against a firewall box, using only one machine. I have a setup like this:
+--------+ +--------+ |A | | B| | eth0+----------------+eth2 | | | | | | eth1+----------------+eth3 | | | | | +--------+ +--------+ Where A's configured like this: Linux 2.4.12 eth0 192.168.1.1/24 eth1 10.1.1.1/24 And B is configured like this: Firewall box by $FIRM eth2 192.168.1.2/24 eth3 10.1.1.2/24 B is also acting as a router from 10.1.1.0/24 to 192.168.1.0/24 and back. Now for the question: how can I tell A that for all packets from 192.168.1.1 to 10.1.1.1, it needs to use 192.168.1.2 as a gateway? The best idea I've had so far is this: ip route add 192.168.1.1 via 192.168.1.2 dev eth0 src 10.1.1.1 I'm sure my TCP client is binding to 192.168.1.1, but when I try to connect I get nothing on the wire (the connection does go through, though). I'm guessing the kernel is taking a shortcut and bypassing ethernet when it sees that the destination IP is its own. How can I force the kernel to route this traffic out over its ethernet interfaces? I've also set up B to do port forwarding (say, 192.168.1.2:25 -> 10.1.1.1:25), and tried opening a TCP connection from 192.168.1.1 to 192.168.1.2:25. I can see SYN packets going out to B on eth0, and coming back on eth1, but nothing ever goes back out eth1 and the connection is never opened, eventually A times out opening. This fits in with my theory since B rewrites TCP sequence numbers. Obviously, having B port forward both directions would solve the problem, but then I'm limiting what cases my regression test can cover. I can't find anything relevant in the list archives or in general on google, but I don't really know what keywords to search on--is there a specific term or phrase for this sort of thing? Thanks -- Neale Pickett Senior Software Engineer, WatchGuard Technologies
