[plug] Prevent Gateway from redirecting

Timothy White weirdit at gmail.com
Fri Dec 29 14:51:53 WST 2006 

I'm running a Linux gateway with squid, and some other fun stuff on
it. I noticed today when I was trying to add a special iptables
redirect rule, that packets didn't seem to be going through the
gateway. After investigation, I discovered that some addresses are
sent via the gateway, others directly to the modem (seeing as the
modem is on the same subnet).
The reason being is a ICMP Redirect being sent, because obviously it's
shorter for packets to go directly out the ADSL modem, than the
gateway! Problem is, I want to be able to force most traffic through
the linux box!

Pinging a host soon shows the following
Redirect Host(New nexthop: router.white.lan (192.168.0.10))

The linux box is 192.168.0.1 and the gateway is obviously
192.168.0.10. The reason for them being on the same subnet, is so I
can easily login to the modem without having to change the subnet of
my computers to match it.
I wish for all web traffic (port 80) to go through the gateway,
because I have a transparent proxy on it. It all works, until the
gateway realises that for a particular host it's quicker to send
things via 192.168.0.10
I get a feeling that the iptables rule for transproxy means that
normal web traffic never gets told to go via 192.168.0.10
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 8080

But today I was trying to get a certain port on the server (446) to be
redirected to 443 on the server, which is running stunnel.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 446 -j REDIRECT
--to-port 443
I have a single application here that is non SSL enabled, and it
appeared this was the easiest way to make it work. It only ever has to
connect to one host, but I need to be able to connect to that host
normally as well. I /can/ put a hosts entry in that will send all
traffic to the gateway for that single host, but then my other
applications (namely those that are SSL aware) can't access that host,
as it now tries to access it via STUNNEL and starts getting stuffed
up. After adding appropriate iptables rules that should have worked,
and it still not working, even with LOG rules, I discovered that for
that host, it was skipping the gateway. I don't really want to have
iptables rules on my client computers, and don't want to move the
modem to another subnet.
Surely there is a way to prevent Linux from sending ICMP Redirects for
certain hosts? And also a way to clear those redirects from my local
routing table?

Thanks

Tim
-- 
Linux Counter user #273956
Don't email joeblogs at scouts.org.au

More information about the plug mailing list