[plug] Prevent Gateway from redirecting

Adrian Chadd adrian at creative.net.au
Fri Dec 29 15:03:08 WST 2006


Just disable ICMP redirects:
adrian at skywalker:~$ find /proc/sys | grep send_redir
/proc/sys/net/ipv4/conf/eth0/send_redirects
/proc/sys/net/ipv4/conf/lo/send_redirects
/proc/sys/net/ipv4/conf/default/send_redirects
/proc/sys/net/ipv4/conf/all/send_redirects

Set em to 0.



Adrian


On Fri, Dec 29, 2006, Timothy White wrote:
> I'm running a Linux gateway with squid, and some other fun stuff on
> it. I noticed today when I was trying to add a special iptables
> redirect rule, that packets didn't seem to be going through the
> gateway. After investigation, I discovered that some addresses are
> sent via the gateway, others directly to the modem (seeing as the
> modem is on the same subnet).
> The reason being is a ICMP Redirect being sent, because obviously it's
> shorter for packets to go directly out the ADSL modem, than the
> gateway! Problem is, I want to be able to force most traffic through
> the linux box!
> 
> Pinging a host soon shows the following
> Redirect Host(New nexthop: router.white.lan (192.168.0.10))
> 
> The linux box is 192.168.0.1 and the gateway is obviously
> 192.168.0.10. The reason for them being on the same subnet, is so I
> can easily login to the modem without having to change the subnet of
> my computers to match it.
> I wish for all web traffic (port 80) to go through the gateway,
> because I have a transparent proxy on it. It all works, until the
> gateway realises that for a particular host it's quicker to send
> things via 192.168.0.10
> I get a feeling that the iptables rule for transproxy means that
> normal web traffic never gets told to go via 192.168.0.10
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 8080
> 
> But today I was trying to get a certain port on the server (446) to be
> redirected to 443 on the server, which is running stunnel.
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 446 -j REDIRECT
> --to-port 443
> I have a single application here that is non SSL enabled, and it
> appeared this was the easiest way to make it work. It only ever has to
> connect to one host, but I need to be able to connect to that host
> normally as well. I /can/ put a hosts entry in that will send all
> traffic to the gateway for that single host, but then my other
> applications (namely those that are SSL aware) can't access that host,
> as it now tries to access it via STUNNEL and starts getting stuffed
> up. After adding appropriate iptables rules that should have worked,
> and it still not working, even with LOG rules, I discovered that for
> that host, it was skipping the gateway. I don't really want to have
> iptables rules on my client computers, and don't want to move the
> modem to another subnet.
> Surely there is a way to prevent Linux from sending ICMP Redirects for
> certain hosts? And also a way to clear those redirects from my local
> routing table?
> 
> Thanks
> 
> Tim
> -- 
> Linux Counter user #273956
> Don't email joeblogs at scouts.org.au
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level bandwidth-capped VPSes available in WA -



More information about the plug mailing list