You may be; but I think the fault lies more with the kernel than with you.
Thinking about this a little more, I seem to recall somebody (I am not enough
of a programmer to verify this for myself) saying that the kernel networking
code had not been sufficently compartmentalized/abstracted such that an aliased
interface +really+ got a life of its own independent from the "main" interface
on the same physical device, and that is why the firewalling/masq/NAT code
doesn't always work as you'd expect when dealing with aliased interfaces.
I last tried to fool with this over two years ago, though, under kernel
version 2.0.something, using ipfwadm instead of ipchains, and one would hope
that things had improved in this area since then, particularly given the
popularity of Linux as a web server.
If I were one of the people doing firewalling code for Linux, this would be
a hot item for me to fix. That's why I have hope that the next successor to
ipchains will address this issue. Lots of things are being heavily rewritten
in 2.4, and with any luck this is one of them.
I assume this is the case but just to be sure -- have you double-checked your
forwarding rules to be sure that they mention the aliased interface properly?
On Wed, Sep 20, 2000 at 09:59:45AM -0700, Rob Tanner wrote:
> Michael,
>
> Thanks for your response. It turns out part of the problem was a
> cockpit error on my part, otherwise know as an error in the packet
> filter. Rather than debugging it at the moment, I basically stripped
> everything out not related to the forward/masq/NAT function.
>
> The result is that IP aliasing is now working, but forwarding is not.
> I can, for example, telnet to the box from the outside using the second
> IP address. Forwarding, however, to the aliased interface is still
> hosed.
>
> I wonder if I'm trying to do something that the kernel is plain not
> designed to do?
>
> -- Rob
>
> --On 09/20/00 11:15:24 AM -0500 "Michael R. Jinks"
> <[EMAIL PROTECTED]> wrote:
>
> > can't help too much with the main issue; i've always thought that you
> > _should_ be able to forward/masq/NAT an aliased interface, and it
> > kind of cuts down on the utility of the whole thing if you can't.
> > but i haven't tried to do it myself in a while (since before ipchains
> > was available actually) so my experience is probably irrelevant. you
> > might want to look into the firewalling code being developed for the
> > 2.4.x series of kernels, it is reportedly a complete rewrite (again)
> > and they may have this problem solved.
> >
> > as an aside, though, i can tell you that for some reason ip aliasing
> > has never been written as a module, it's either available in the
> > kernel (apparently the one you have has it turned on) or it's not.
> > you can get a nice tour of the linux kernel, even if you don't plan
> > on installing a custom one yourself, by installing the source code
> > for the kernel version you're running, cd'ing to the base directory,
> > and typing "make xconfig".
> >
> > hth,
> > -m
> >
> > On Tue, Sep 19, 2000 at 11:01:21PM -0700, Rob Tanner wrote:
> >> Hi all,
> >>
> >> I have Redhat 6.2 installed along with VMWare 2 with NT4 installed
> >> in the VMWare virtual machine. I'm doing some development work on
> >> that other platform, and I need to be able to access its services
> >> from the net. I wrote an /sbin/ipchains packet filter including
> >> forwarding and masquerading the VMWare net (vmnet1).
> >>
> >> Here's the problem: simply forwarding and masquerading to the
> >> external interface means all outbound traffic goes out as my main
> >> address. There is no way (that I know of) to initiate a TCP session
> >> from the outside since masquerading works just like NAT.
> >>
> >> I haven't yet discovered in Redhat specific IP aliasing
> >> documentation and I don't have an ip_alias.o kernel module (nor
> >> have I found source code). But, ifconfig eth0:0 <ipaddress> works
> >> and creates an alias I can ping externally, so I presume that IP
> >> aliasing is compiled into the kernel by default.
> >>
> >> Since forwarding/masquerading from vmnet1 to eth0 works just as
> >> advertised, why can't I likewise forward/masquerade to eth0:0?
> >>
> >> Thanks,
> >> Rob
> >>
> >>
> >> _ _ _ _ _ _ _ _ _ _
> >> /\_\_\_\_\ /\_\ /\_\_\_\_\_\
> >> /\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM
> >> SIT, /\/_/__\/_/ __ /\/_/ /\/_/ PROFUNDUM VIDITUR
> >> /\/_/_/_/_/ /\_\ /\/_/ /\/_/
> >> /\/_/ \/_/ /\/_/_/\/_/ /\/_/ (Whatever is said in Latin
> >> \/_/ \/_/ \/_/_/_/_/ \/_/ appears profound)
> >>
> >> Rob Tanner
> >> McMinnville, Oregon
> >> [EMAIL PROTECTED]
> >>
> >>
> >>
> >> _______________________________________________
> >> Redhat-list mailing list
> >> [EMAIL PROTECTED]
> >> https://listman.redhat.com/mailman/listinfo/redhat-list
> >
> > --
> > Michael Jinks, IB
> > Systems Administrator, CCCP
> > finger [EMAIL PROTECTED] for public key
> > Vote Duke! http://www.entertaindom.com/pages/duke2000/home.jsp
> >
> >
> >
> > _______________________________________________
> > Redhat-list mailing list
> > [EMAIL PROTECTED]
> > https://listman.redhat.com/mailman/listinfo/redhat-list
>
>
>
>
> _ _ _ _ _ _ _ _ _ _
> /\_\_\_\_\ /\_\ /\_\_\_\_\_\
> /\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM SIT,
> /\/_/__\/_/ __ /\/_/ /\/_/ PROFUNDUM VIDITUR
> /\/_/_/_/_/ /\_\ /\/_/ /\/_/
> /\/_/ \/_/ /\/_/_/\/_/ /\/_/ (Whatever is said in Latin
> \/_/ \/_/ \/_/_/_/_/ \/_/ appears profound)
>
> Rob Tanner
> McMinnville, Oregon
> [EMAIL PROTECTED]
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
--
Michael Jinks, IB
Systems Administrator, CCCP
finger [EMAIL PROTECTED] for public key
Vote Duke! http://www.entertaindom.com/pages/duke2000/home.jsp
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
