|Version 1 (modified by rkh23, 8 years ago)|
Setup assumed: Sensors on a private network on one nic, apps and rest of world on another nic and network. Reuire multicast traffic to flow freely across the interfaces.
0. The machine needs to run mrouted. The defaults are sufficient (routing all mc traffic across all interfaces). The problem is that it doesn't route it's own packets (hence the rest of the solution). Nevertheless, mrouted (or xorp or equivalent) is required. mrouted is no longer supported. Attached is a modified tarball of the source that compiles under FC3 and SuSE 9.3.
1. Patch kernel-2.6.11 with the iptables ROUTE target module patch
The ROUTE target module allows you to change the default route for packets based on iptables parameters. It is described further in iptables 1.3.1's man pages, but for some reason isn't in the kernel.
To patch the kernel, you need to go to netfilter.org and grab the latest patch-o-matic (ng) from:
Make sure /usr/src/linux is linked to the kernel you want and also that you have the source of iptables-1.3.1 available and unpacked.
In the patch-o-matic source directory, run:
KERNEL_DIR=/usr/src/linux IPTABLES_DIR=/usr/src/iptables-1.3.1 ./ runme extra
It will tell you what each module does and automatically apply patches that are required by anything you pick. I only picked the ROUTE target patch, but it also does a bunch of dependent patches.
2. Compile kernel-2.6.11 with the ROUTE target enabled as module in kernel config.
(Optionally change the version of the kernel in the Makefile)
Find this under (make menuconfig):
Device Drivers > Network Configuration > Networking Options > Packet Filtering > ROUTE target module.
Then: make all modules_install install
3. Recompile iptables from source rpm
You'll need to get the source rpm from either Suse or Redhat (depending on what you're using), and rebuild it against the patched kernel headers. Under SuSE, this only required:
rpm -i iptables-1.3.1-3.src.rpm (edit the version number in /usr/src/packages/SPECS/iptables.spec) rpmbuild -ba /usr/src/packages/SPECS/iptables.spec rpm -ivh --force /usr/src/packages/RPMS/i586/ iptables-1.3.1-3.dtg.i586.rpm
4. Reboot and add the appropriate iptables rule:
For our network, our default interface was eth1, so the rule we needed to add was:
iptables -t mangle -A OUTPUT -d 22.214.171.124/8 -o eth1 -j ROUTE --tee -- oif eth0
This means make a copy of the packet that was destined for the 126.96.36.199/8 subnet destined for eth1, and put it on to eth0 as well.
That's all that needs to be done. The ROUTE target is described in the iptables man pages but not actually in the mainline kernel, I guess it only means that it is destined for the kernel, but not yet incorporated with the newest releases.