Accepting redirects?

I have a situation where my internet firewall and my vpn server have
different IPs.

I'd like to have all my clients configured via DHCP, so I'm setting the
firewall as the default route, then trying to use ICMP redirect to tell
the client the IP of the VPN gateway.

This works fine for pings, but not for tcp.....

ISTR there was a setting somewhere for accept redirects (/proc/*?) but I
can't find it...

thus:

[yan@poseidon yan]$ ping mail.llc.lan

PING pythia.llc.lan (192.168.129.1) 56(84) bytes of data.

From kerberos.seiner.lan (192.168.128.1): icmp_seq=0 Redirect Host(New
nexthop: tooth.seiner.lan (192.168.128.2))

64 bytes from pythia.llc.lan (192.168.129.1): icmp_seq=0 ttl=254 time=230
ms

64 bytes from pythia.llc.lan (192.168.129.1): icmp_seq=1 ttl=254 time=186
ms

This works.

But:

[yan@poseidon yan]$ telnet mail.llc.lan 143

times out.

If I set a route specifically to the vpn gateway, everything works fine.

[yan@poseidon Pan]$ /sbin/route
Smìrovací tabulka v jádru pro IP
Adresát Brána Maska Pøízn Metrik Odkaz U¾t Rozhraní
192.168.128.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default kerberos.seiner 0.0.0.0 UG 0 0 0 eth0


This routing setup relies on ICMP redirects, and fails.

But if I add

[root@poseidon yan]# /sbin/route add -net 192.168.0.0 netmask 255.255.0.0
gw tooth

it all works fine, where tooth is the vpn gateway.

So, what do I need to set to automagically allow ICMP redirects to work?

>
>
> This routing setup relies on ICMP redirects, and fails.
>
> But if I add
>
> [root@poseidon yan]# /sbin/route add -net 192.168.0.0 netmask 255.255.0.0
> gw tooth
>
> it all works fine, where tooth is the vpn gateway.
>
> So, what do I need to set to automagically allow ICMP redirects to work?

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 1 > $f; done

Vincent.

--
Kelkoo Security Manager / Networks & Systems Architect
JID: (E-Mail Removed) / Vincent.Jaussaud.AT.kelkoo.DOT.net
Kelkoo.com --- GNU/Linux Powered