[plug] Prevent Gateway from redirecting

Timothy White weirdit at gmail.com
Fri Dec 29 15:52:27 WST 2006


On 12/29/06, Adrian Chadd <adrian at creative.net.au> wrote:
> On Fri, Dec 29, 2006, Cameron Patrick wrote:
> > Cameron Patrick wrote:
> >
> > > Adrian Chadd wrote:
> > >
> > > > Just disable ICMP redirects:
> > >
> > > He's asking about iptables -j REDIRECT, not ICMP redirect packets.
> >
> > Actually scratch that, re-reading the original message again I'm not
> > entirely sure I understand what Tim was on about at all...
>
> I know what he's saying:
>
> * his default gateway on his network is .1;
> * the linux has a default route of .10; which is on the same network as .1;
> * so when the linux box receives a packet thats destined for the greater world
>   and sees the default gateway -it- would forward it to being on the same LAN
>   as the source device Linux sends an ICMP redirect to the original host,
>   saying "from now on just send to .10!"
> * And this is breaking the transparent interception he's doing with -J REDIRECT.

Yes

>
> So, I just suggest putting all your network traffic through the linux box and
> disable redirects. In fact, I'd actually suggest putting the modem on a private
> VLAN or physical network interface and do shaping/whatnot on the linux box
> which is, in essence, acting as your gateway and firewall device. You can still
> continue doing NAT on either the modem/router or the Linux gateway, it wouldn't
> matter.

A number of things shouldn't go through the gateway though, and I
don't want to be changing routes for them. Namely, VoIP needs the
redirect so it can go straight via the modem (not just for lowest
latency, but also because of it's physical connection, no point
jumping through 2 switches just to jump back! And if someone in the
house starts playing games...

>
> Still - just disable ICMP redirects. I'm sure there's a way to do selective
> ICMP redirect responses based on iptables rules but it'll be more trouble than
> its worth in the long run.

Any ideas on that? Once I finish recompiling my local kernel with
iptables support (left out due to the fact it never needed it, being
totally firewalled in with 2 other firewalls), I'll do the redirect
locally, if I can work out which table it now needs to go in!!

Thanks

Tim
-- 
Linux Counter user #273956
Don't email joeblogs at scouts.org.au



More information about the plug mailing list