debian [testing/etch] redirected broadcasts not working

Hi All!

I am struggling with ipfilters to redirect broadcast from the internet
into my LAN, which I need for Wake On LAN(WAN). I have just moved from
NetBSD to Debian and have set it up to be a router, which does well. I
am new to ipfilters, but I got all of my nat-based redirects of ports
running, except this one:

iptables -t nat -A PREROUTING -i $EXTIF -p udp --dport 8888 -j DNAT --to
192.168.26.255

This is syntactically accepted by ipfilters, but there are no redirected
packages in the LAN, which I track with tcpdump. The packages reach my
public interface, but not more. In NetBSD, I had to set the kernel
variable "net.inet.ip.directed-broadcast" to allow the redirected
broadcast. After long serches, I discovered
"net.ipv4.ip_echo_ignore_broadcasts" for Debian from a posting. But if I
try to set this variable, I get only "unknown key" [I use "sysctl -w
....] as an error message.

Is this a limitation to the testing version, or am I completely wrong
with my attempt?
Any help would be great!

Best regards,
Manfred

Hello,

mabra a écrit :
>
> I am struggling with ipfilters to redirect broadcast from the internet
> into my LAN, which I need for Wake On LAN(WAN). I have just moved from
> NetBSD to Debian and have set it up to be a router, which does well. I
> am new to ipfilters, but I got all of my nat-based redirects of ports
> running, except this one:
>
> iptables -t nat -A PREROUTING -i $EXTIF -p udp --dport 8888 -j DNAT --to
> 192.168.26.255
>
> This is syntactically accepted by ipfilters, but there are no redirected
> packages in the LAN, which I track with tcpdump. The packages reach my
> public interface, but not more.

The incoming packet is DNATed into the broadcast address in the
PREROUTING chain, and then reaches the input routing stage. But in
accordance with RFC 2644 broadcast packets are not forwarded, so the
packet is dropped.

> In NetBSD, I had to set the kernel
> variable "net.inet.ip.directed-broadcast" to allow the redirected
> broadcast.

I am not aware of any such option in the Linux kernel.
For WoL, there are workarounds based on static ARP entries to avoid
using an IP broadcast.

> After long serches, I discovered
> "net.ipv4.ip_echo_ignore_broadcasts" for Debian from a posting. But if I
> try to set this variable, I get only "unknown key" [I use "sysctl -w
> ...] as an error message.

1) It is not ip_echo_ignore_broadcasts but icmp_echo_ignore_broadcasts.
2) It is not Debian specific, it is in the Linux kernel.
3) It has nothing to do with forwarding broadcast packets. It has to do
with accepting and replying to ICMP echo requests ("ping") sent to a
local broadcast address or not.

Hello !

Thanks for your answer.
I know, that there are the kernel vars for icmp, but I found the other
one in a posting in the net. Using static ARP entries, how to do that?

I think, this would be completely inprakticable for a usual LAN, may be
for one or two computers. I used this technic in my companies WAN to
manage administrative workstations and it worked well.

With my NetBSD, it worked always. I am frustrated. RFC 2644 also notes,
that a router "may have the option to enable this feature".

Thanks first,
Manfred

Pascal Hambourg wrote:
> Hello,
>
> mabra a écrit :
>>
>> I am struggling with ipfilters to redirect broadcast from the internet
>> into my LAN, which I need for Wake On LAN(WAN). I have just moved from
>> NetBSD to Debian and have set it up to be a router, which does well. I
>> am new to ipfilters, but I got all of my nat-based redirects of ports
>> running, except this one:
>>
>> iptables -t nat -A PREROUTING -i $EXTIF -p udp --dport 8888 -j DNAT
>> --to 192.168.26.255
>>
>> This is syntactically accepted by ipfilters, but there are no
>> redirected packages in the LAN, which I track with tcpdump. The
>> packages reach my public interface, but not more.
>
> The incoming packet is DNATed into the broadcast address in the
> PREROUTING chain, and then reaches the input routing stage. But in
> accordance with broadcast packets are not forwarded, so the
> packet is dropped.
>
>> In NetBSD, I had to set the kernel variable
>> "net.inet.ip.directed-broadcast" to allow the redirected broadcast.
>
> I am not aware of any such option in the Linux kernel.
> For WoL, there are workarounds based on static ARP entries to avoid
> using an IP broadcast.
>
>> After long serches, I discovered "net.ipv4.ip_echo_ignore_broadcasts"
>> for Debian from a posting. But if I try to set this variable, I get
>> only "unknown key" [I use "sysctl -w ...] as an error message.
>
> 1) It is not ip_echo_ignore_broadcasts but icmp_echo_ignore_broadcasts.
> 2) It is not Debian specific, it is in the Linux kernel.
> 3) It has nothing to do with forwarding broadcast packets. It has to do
> with accepting and replying to ICMP echo requests ("ping") sent to a
> local broadcast address or not.