Transparent troubles using GRE / iproute2 / fwmark for linux

    We have reently changed our network setup to allow for virtual tunnels
etc. And i also installed a linux router to take the load of our cisco.

    Currently we have the linux router , a proxy box, a cisco gateway
(this holds up our frame relay and gives us external access) and a
starguide satellite feed all on one switch. These machines are on a seperate
subnet that we do all our routing on.

    The linux router has 2 ethernet cards one of which is on the network
above and the other is on our internal network with all our hosts and
dialup machines etc.
    Some other subnet.

    The linux router also has a tunnel interface on it that ends up in a
remote POP and gets there via means of 10.0.0.0 addresses. The tunnel is
so we can hide the 10.0.0.0 addresses and also allow us to filter out http
traffic for proxying.
    The tunnel is a GRE/IP tunnel (so the cisco (another one) at the far
end can use fast switching) with a fixed ttl of 64 so that traceroute works
properly.

i have set the linux router to divert http traffic via fwmark and iproute2
it has ipchains rules like:

ipchains -A input -j ACCEPT -m 1 -d 0.0.0.0/0 80 -p TCP -i TUNNEL
ipchains -A input -j ACCEPT -m 1 -d 0.0.0.0/0 80 -p TCP -i eth1

eth1 is the card on the internal network.

then i have 2 routing tables.
The normal one knows where all our subnets are and has a default route of the
cisco gateway. (table 0)
The second table has a default gateway of the proxy box.(table 1)

I have an ip rule set to forward anything that has been fwmarked with "1"
to go through table 1.
The proxy box has a default gateway of the cisco gateway + static routes
set for our internal network.

This works perfectly for anyone on the internal network. You cant see the
proxy box, unless you know its there. It gets no traffic unless it's
destined to a web host. It picks up our traffic transparently and is
lightning fast. It also saves a hop if you are not using http protocol
for that extra 2-3 millisecond gain. :)

However, if you are accessing it via the tunnel from our remote pop it
fails to work. It will connect to the squid box, the request is getting
redirected there ( i ran sniffit to make sure) but it justs sits there and
does nothing. This is for transparent only. You will see "connecting to
www.altavista.com" ....."transferring data" and then it just sits there.

If you explicitly specify a proxy server via the preferences section it
works happily again.

For the time being i have disabled transparent proxying to that section of
our network.

I have been pulling my hair out all afternoon. I just cannot see any
difference about the tunnel. Everything traceroutes perfectly, pings are
fast and clean. No dropped packets on any interfaces. I specified always
defragment both on the proxy box and on the linux router that holds the
tunneled connection. I have turned off the rp_filter option on both hosts,
i just cannot see what the problem could be.

Any suggestions would be _really_ appreciated.

Thanks
David Nillesen
Received on Thu Nov 11 1999 - 22:23:42 MST