Need expert advices on routing questions

Here is the problem (tipical but I didn't manage to find good keywords
for a solution under google):

- network 1 : 194.234.200.0/24 link to the internet on eth0
- network 2 : 172.31.0.0/16 local network on eth0:0
- network 3 : 10.25.30.0/24 new vpn network on tun0

Default created routes are OK and it works when I activate ip_forward.

Question 1: what /proc/sys/net/ipv4/ip_forward really do ?
- allow packet forwarding between logical interfaces ?
- allow packet forwarding between physical interfaces ?

I want this machine to act as a router only between the local and vpn
network. ip_forward activation allows to much routing. I know how to
build a "iptables" firewall to accomplish this but it looks to me
really havy to work at this level.

Question 2: Is there a way to just allow forwarding between interfaces
eth0:0 and tun0 ? Using kernel options more specific than ip_forward ?
Or just using the ip command ?

Thanks for your answers, EG

For the first question and part of the second, I found some answers in
ip-sysctl.txt.

Kernel at the /proc/sys/net level seems to only know "physical"
interfaces. Remarks: tun0 is not really a physical interface but a vpn
tunnel.

So, is there a way to emulate a physical interface acting as a virtual
one (don't think so but we never know) ?

Can I do what I'm looking for using the "ip" command (iproute2) ?

EG

(E-Mail Removed) wrote:
> Here is the problem (tipical but I didn't manage to find good keywords
> for a solution under google):
>
> - network 1 : 194.234.200.0/24 link to the internet on eth0
> - network 2 : 172.31.0.0/16 local network on eth0:0
> - network 3 : 10.25.30.0/24 new vpn network on tun0
>
> Default created routes are OK and it works when I activate ip_forward.
>
> Question 1: what /proc/sys/net/ipv4/ip_forward really do ?
> - allow packet forwarding between logical interfaces ?
> - allow packet forwarding between physical interfaces ?

It is a master switch for all routing, between physical
and/or logical interfaces. From routing standpoint, an
interface is an interface, be it physical or logical.

> I want this machine to act as a router only between the local and vpn
> network. ip_forward activation allows to much routing. I know how to
> build a "iptables" firewall to accomplish this but it looks to me
> really havy to work at this level.
>
> Question 2: Is there a way to just allow forwarding between interfaces
> eth0:0 and tun0 ? Using kernel options more specific than ip_forward ?
> Or just using the ip command ?

The finer grained control for packets inside the IP stack
is performed with the packet filter, called iptables in
modern distributions.

For your purposes, you need to have the IP forwarding control
on, to have any forwarding, and then limit the traffic with
a suitably configured packet filter.

For details, get Rusty's Remarkably Unreliable Guides from
<http://people.netfilter.org/~rusty/unreliable-guides/>.

Do not let the name mislead you - these are probably the best
guides there are about packet filtering.

HTH

--

Tauno Voipio
tauno voipio (at) iki fi

I agree with you and with the references you propose which are quite
good. Netfilter/iptables give a solution to the problem. But as I said,
it's a heavy solution. Netfilter aim is to filter and not to route.
Using netfilter to route means I don't care to my routes and I will
remove afterwards the unwanted traffic. This is cost effective because
filtering (level 4) is a quite more consuming solution than just
routing (level 3).

I found the solution on this web site, the book is remarkable (with an
example really close to my problem) : http://www.policyrouting.org/

iproute2 and iptables are the main components for routing/filtering
under Linux and sometime offer similar functionnalities but dealt
different ways.

Regards, EG