[LARTC] Q: Routing the Same IP simultaneously on different

[LARTC] Q: Routing the Same IP simultaneously on different

[John Wigley]

Hi,

I've asked this elsewhere and received hints but no one seems to have a 
concrete explanation :-

What I am looking to do is to be able to configure a Linux based router to
be able to share THE SAME SINGLE Public IP address between the linux router 
and a
single computer on the lan acting as the DMZ host (NOT normal NAT IP sharing 
!).

So basically you have a linux router with two network ports, WAN and LAN.
The router takes the single ISP assigned public IP address for it's WAN
interface and then uses a non routable subnet for the LAN port. There are a
number of machines on the LAN segment and the linux router is performing NAT
for them so that they have internet connectivity - so far this is a standard
normal setup.

Now what I want to do is to simultaneously assign that SAME PUBLIC IP
address onto one of the LAN computers so that it for all intents and
purposes is a DMZ host.

Before anyone says that this is mad and that it can't be done, it can be
done perfectly well and all WESTELL ADSL / Ethernet routers have this
functionality along with some no name Far Eastern origin broadband routers
based on a Conexant OEM reference design.

Having thought long and hard about how to do this but not knowing  NetFilter
at all, I realised that the way this must be done is for the router to
perform a standard NAT function with the added functions of tracking all
outgoing connections from the DMZ host and entering those into the NAT table
as well, so that it doesn't try to do a Port Address Translation on top of
an existing outgoing connection from the DMZ host. For incoming connections,
if the incoming packet has a reference in the NAT table then it is directed
to the originating LAN machine and if not is passed through unmodified to
the DMZ host.

I have spent much time googling and reading list postings but cannot find
any reference on how to do this under linux, my guess is that Proxy ARP
needs to be enabled on the LAN interface and then a 1:1 POST NAT mapping set
to remap all the packets for the DMZ host back to the original public IP
address but after that I'm stuck.

This is an incredibly useful feature which I've used on the Westell routers
for some time, but now want to move to a Linux based router to be able to do
QOS, as it allows all the benefits of NAT for sharing a single IP address
but also the benefits of a routed connection for NAT unaware applications
like IPSEC AH, and some VOIP implementations.

Any advice on setting this up would be much appreciated,

Thanks,

John Wigley


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Q: Routing the Same IP simultaneously on

[Forte Systems - Iosif Peterfi]

Hi,

First, never compare a linux box with a cheap and dumb broadband router.

I'm not sure if i understand very well your scenario but I asume is like
this:
						     192.168.0.1---------
					   	     -----------| ipsec |
	 	 	 	    		     |	    ---------
    128.X.X.X ---------	192.168.0.254    |
ISP ----------| linux |------------------|
		  ---------	    		     |	    ---------
	   		          		     -----------|  voip |
						     192.168.0.2---------


You should read the iptables manpage, and your questions would have been
already answered.

Anyway here we go ... 

The nat table has 2 targets, SNAT and DNAT.
SNAT alters source IP adresses and DNAT alters destination addreses.
Netfilter can alter more protocols than tcp or udp. It can alter
gre(protocol 57), used by  pptp vpn, or even ipsec esp(proto 50) or ah(proto
51).

How does it work ?! 
All packets pass through netfilter, you can google for a diagram, to see the
order of traversal trough the tables/chains. But this concerns only the nat
table so, the order is: PREROUTING, FORWARD, POSTROUTING.

In the PREROUTING chain, we can alter the destianion of the packet, so :

iptables -t nat -I PREROUTING -p 50 -d 128.x.x.x -j DNAT --to-destination
192.168.0.1

This will change the IPSEC ah packet's destination address to your lan ipsec
host.

I don't know if this is really functional. I'm not so familiar with ipsec
ah, but should work, as far as routing/nat is concerned.

As for the voip host. Let's say it uses TCP 5060 and UDP 5060.
iptables -t nat -I PREROUTING -p tcp -d 128.x.x.x --dport 5060 -j DNAT
--to-destination 192.168.0.1
iptables -t nat -I PREROUTING -p udp -d 128.x.x.x --dport 5060 -j DNAT
--to-destination 192.168.0.1

In the POSTROUTING chain, we can alter the source of the packet so:

As i understood, you've gone past this but here is an example...
iptables -t nat -I POSTROUTING -s 192.168.0.1 -j SNAT --to-source 128.x.x.x

This changes the source destination of the packet after the routing has
taken place, so your private address is altered.


This should do the trick.


If you want to forward EVERYTHING to a host, the linux router cannot use the
internet itself (acts as a stupid broadband router). This means, the routing
works great, but the linux box itself can't estabilish any connection, since
packets destinated to it is forwarded to a lan host. And this is not what we
want. 

Success,
Iosif Peterfi,
S.C. Forte Systems SRL
http://wwww.fortesys.ro/

-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl]
On Behalf Of John Wigley
Sent: Tuesday, June 21, 2005 7:41 PM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] Q: Routing the Same IP simultaneously on differentcomputers
?

Hi,

I've asked this elsewhere and received hints but no one seems to have a 
concrete explanation :-

What I am looking to do is to be able to configure a Linux based router to
be able to share THE SAME SINGLE Public IP address between the linux router 
and a
single computer on the lan acting as the DMZ host (NOT normal NAT IP sharing

!).

So basically you have a linux router with two network ports, WAN and LAN.
The router takes the single ISP assigned public IP address for it's WAN
interface and then uses a non routable subnet for the LAN port. There are a
number of machines on the LAN segment and the linux router is performing NAT
for them so that they have internet connectivity - so far this is a standard
normal setup.

Now what I want to do is to simultaneously assign that SAME PUBLIC IP
address onto one of the LAN computers so that it for all intents and
purposes is a DMZ host.

Before anyone says that this is mad and that it can't be done, it can be
done perfectly well and all WESTELL ADSL / Ethernet routers have this
functionality along with some no name Far Eastern origin broadband routers
based on a Conexant OEM reference design.

Having thought long and hard about how to do this but not knowing  NetFilter
at all, I realised that the way this must be done is for the router to
perform a standard NAT function with the added functions of tracking all
outgoing connections from the DMZ host and entering those into the NAT table
as well, so that it doesn't try to do a Port Address Translation on top of
an existing outgoing connection from the DMZ host. For incoming connections,
if the incoming packet has a reference in the NAT table then it is directed
to the originating LAN machine and if not is passed through unmodified to
the DMZ host.

I have spent much time googling and reading list postings but cannot find
any reference on how to do this under linux, my guess is that Proxy ARP
needs to be enabled on the LAN interface and then a 1:1 POST NAT mapping set
to remap all the packets for the DMZ host back to the original public IP
address but after that I'm stuck.

This is an incredibly useful feature which I've used on the Westell routers
for some time, but now want to move to a Linux based router to be able to do
QOS, as it allows all the benefits of NAT for sharing a single IP address
but also the benefits of a routed connection for NAT unaware applications
like IPSEC AH, and some VOIP implementations.

Any advice on setting this up would be much appreciated,

Thanks,

John Wigley


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc



-- 
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://linux.bitdefender.com/

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Q: Routing the Same IP simultaneously on

[Taylor, Grant]

Hmm, interesting question with a meriod of answers, some more complex than others.  One point of contention though is that I have never seen a router that would forward the traffic on internally to a system on the LAN with the external globally rout able IP of the router.  All the routers that have the concept of a DMZ host in them redirect the traffic to a system on the internal LAN with an IP on the internal subnet.  This latter approach is the direction that I will go, if you do want the former let me know and I'll chew on it for a while.

I would initially attempt to use a standard basic NATing firewall (no frills or sanity checks here).

iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

iptables -t filter -F INPUT
iptables -t filter -F FORWARD
iptables -t filter -F OUTPUT
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -t nat -F POSTROUTING

# eth0 will be the internet connection
# eth1 will be the LAN connection.

iptables -t filter -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth0 -j ACCEPT

#
# If you have any services that you want to be port forwarded to systems other than the DMZ server
# you will need to list them here.
#
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination $IP_of_other_system

#
# This is the line that I'm not sure about and would have to test as I'm not sure it will do what I think.
#
iptables -t nat -A PREROUTING -i eth0 -m state --state NEW -j DNAT --to-destination $IP_of_DMZ_server

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This is completely untested code so test it at your own risk.  This is what I would try out of the gate though.



Grant. . . .

John Wigley wrote:
> Hi,
> 
> I've asked this elsewhere and received hints but no one seems to have a
> concrete explanation :-
> 
> What I am looking to do is to be able to configure a Linux based router to
> be able to share THE SAME SINGLE Public IP address between the linux
> router and a
> single computer on the lan acting as the DMZ host (NOT normal NAT IP
> sharing !).
> 
> So basically you have a linux router with two network ports, WAN and LAN.
> The router takes the single ISP assigned public IP address for it's WAN
> interface and then uses a non routable subnet for the LAN port. There are a
> number of machines on the LAN segment and the linux router is performing
> NAT
> for them so that they have internet connectivity - so far this is a
> standard
> normal setup.
> 
> Now what I want to do is to simultaneously assign that SAME PUBLIC IP
> address onto one of the LAN computers so that it for all intents and
> purposes is a DMZ host.
> 
> Before anyone says that this is mad and that it can't be done, it can be
> done perfectly well and all WESTELL ADSL / Ethernet routers have this
> functionality along with some no name Far Eastern origin broadband routers
> based on a Conexant OEM reference design.
> 
> Having thought long and hard about how to do this but not knowing 
> NetFilter
> at all, I realised that the way this must be done is for the router to
> perform a standard NAT function with the added functions of tracking all
> outgoing connections from the DMZ host and entering those into the NAT
> table
> as well, so that it doesn't try to do a Port Address Translation on top of
> an existing outgoing connection from the DMZ host. For incoming
> connections,
> if the incoming packet has a reference in the NAT table then it is directed
> to the originating LAN machine and if not is passed through unmodified to
> the DMZ host.
> 
> I have spent much time googling and reading list postings but cannot find
> any reference on how to do this under linux, my guess is that Proxy ARP
> needs to be enabled on the LAN interface and then a 1:1 POST NAT mapping
> set
> to remap all the packets for the DMZ host back to the original public IP
> address but after that I'm stuck.
> 
> This is an incredibly useful feature which I've used on the Westell routers
> for some time, but now want to move to a Linux based router to be able
> to do
> QOS, as it allows all the benefits of NAT for sharing a single IP address
> but also the benefits of a routed connection for NAT unaware applications
> like IPSEC AH, and some VOIP implementations.
> 
> Any advice on setting this up would be much appreciated,
> 
> Thanks,
> 
> John Wigley

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Q: Routing the Same IP simultaneously on different

[Matthew Lowe]

There's only one reason I could possibly see someone wanting to do this. That is to fool server software on the DMZ into using the public IP address. For example, say the server was sending out the local IP address to the clients to initate further connections. If the server software is not firewall friendly it may not check for the external IP and rather would send the internal IP. Other than that, I can't see any reason to do this.

Anyway, here's the dilema. You cannot change the destination IP address of a packet prior to routing. If that IP address you're sending to is the same IP address that is assigned to one of the interfaces on the router then your packet will not be sent out the LAN interface. This is because when traversing the route tables, the first table, local, will match the packet. 

This problem seems rather complex at first. Assuming you don't change the local table at all you can accomplish what you want to do by adding in a second linux router. Basically you would run NAT and DMZ just like a normal network with private IPs. The DMZ would be assigned a space holder ip address, like 192.168.0.10. The second linux router would forward all traffic, except traffic that matched 192.168.0.10, for this traffic it would translate the IP address to the public IP address. This functionality can be condensed into one machine by adding two interfaces to the machine and building a bridge between the intefaces. By looping the LAN interface through this bride, you can then perform the DNAT as the traffic passes through the bridge. This requires the br-nf patch for 2.4 kernels (not required for 2.6). 

There is however a simpler solution. It didn't occur to me at first because I've never done it, and never had a need to. Anyway, you need to make two extra routing tables in /etc/iproute2/rt_tables. Call them local2 and dmz. You need to delete the public ip route from the local table and move it to the local2 table. Then you need to add a rule to the other table that looks like this:
ip route add 2.2.2.2 dev eth1 table dmz
2.2.2.2 is your public ip, and eth1 is your lan interface. Change them for your setup.
Now you need to add the rules to lookup these tables in the correct order. 
ip rule add from all lookup local2
ip rule add fwmark 1 lookup dmz

This will send any traffic with the public IP out over your lan interface _IF_ it is marked with the value 1. Otherwise it will operate just like normal. Now you should setup your NAT settings for the network. Set it up without anything speical for the DMZ. Do it as if there was no DMZ and you were just performing SNAT for the entire private network. 

Then, add the rule to mark traffic you want to go to the dmz. 

iptables -t mangle -A PREROUTING -d 2.2.2.2 -j MARK --set-mark 1

Pretty simple eh? I've never tested it, but in theory it should work. 

Hope that helps,
- Matt


----- Original Message -----
From: John Wigley <johnwigley@acorna.co.uk>
Date: Tuesday, June 21, 2005 10:41 am
Subject: [LARTC] Q: Routing the Same IP simultaneously on different	computers ?

> Hi,
> 
> I've asked this elsewhere and received hints but no one seems to 
> have a 
> concrete explanation :-
> 
> What I am looking to do is to be able to configure a Linux based 
> router to
> be able to share THE SAME SINGLE Public IP address between the 
> linux router 
> and a
> single computer on the lan acting as the DMZ host (NOT normal NAT 
> IP sharing 
> !).
> 
> So basically you have a linux router with two network ports, WAN 
> and LAN.
> The router takes the single ISP assigned public IP address for 
> it's WAN
> interface and then uses a non routable subnet for the LAN port. 
> There are a
> number of machines on the LAN segment and the linux router is 
> performing NAT
> for them so that they have internet connectivity - so far this is 
> a standard
> normal setup.
> 
> Now what I want to do is to simultaneously assign that SAME PUBLIC IP
> address onto one of the LAN computers so that it for all intents and
> purposes is a DMZ host.
> 
> Before anyone says that this is mad and that it can't be done, it 
> can be
> done perfectly well and all WESTELL ADSL / Ethernet routers have this
> functionality along with some no name Far Eastern origin broadband 
> routersbased on a Conexant OEM reference design.
> 
> Having thought long and hard about how to do this but not knowing  
> NetFilterat all, I realised that the way this must be done is for 
> the router to
> perform a standard NAT function with the added functions of 
> tracking all
> outgoing connections from the DMZ host and entering those into the 
> NAT table
> as well, so that it doesn't try to do a Port Address Translation 
> on top of
> an existing outgoing connection from the DMZ host. For incoming 
> connections,if the incoming packet has a reference in the NAT 
> table then it is directed
> to the originating LAN machine and if not is passed through 
> unmodified to
> the DMZ host.
> 
> I have spent much time googling and reading list postings but 
> cannot find
> any reference on how to do this under linux, my guess is that 
> Proxy ARP
> needs to be enabled on the LAN interface and then a 1:1 POST NAT 
> mapping set
> to remap all the packets for the DMZ host back to the original 
> public IP
> address but after that I'm stuck.
> 
> This is an incredibly useful feature which I've used on the 
> Westell routers
> for some time, but now want to move to a Linux based router to be 
> able to do
> QOS, as it allows all the benefits of NAT for sharing a single IP 
> addressbut also the benefits of a routed connection for NAT 
> unaware applications
> like IPSEC AH, and some VOIP implementations.
> 
> Any advice on setting this up would be much appreciated,
> 
> Thanks,
> 
> John Wigley
> 
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Q: Routing the Same IP simultaneously on

[Taylor, Grant]

Matt this is a very interesting idea, along the lines of a solution that I did not want to try to get strait in my head.  The question that I run in to is how does the system handle returning (outbound) internet traffic from systems not in the DMZ?  The way that I read and understand your idea I can't tell how the returning traffic will not be sent to the DMZ.  Other than that I think this idea is a very good one.

The idea that comes to my mind, but sadly will not work as I know it, is to use EBTables to bridge the internet and LAN interface and use the EBTables brouting table BROUTING chain to decide if the traffic should be bridged or not based on a connection tracking state, i.e. if the traffic is not related to any outbound LAN traffic then bridge the traffic over to the DMZ server, if it is related DROP the traffic in the BROUTING table which causes it to be routed.  You would obviously need to have at least an aliased interface on the LAN interface to do the routing with.  But I don't know of any match extension for EBTables that will test based on whether or not the NetFilter Connection Tracking code has seen the traffic or not.  However I think this would be a useful match extension, and guessing I don't think it would be hard to write though I am not qualified to do so or really speculate.



Grant. . . .

Matthew Lowe wrote:
> There's only one reason I could possibly see someone wanting to do this. That is to fool server software on the DMZ into using the public IP address. For example, say the server was sending out the local IP address to the clients to initate further connections. If the server software is not firewall friendly it may not check for the external IP and rather would send the internal IP. Other than that, I can't see any reason to do this.
> 
> Anyway, here's the dilema. You cannot change the destination IP address of a packet prior to routing. If that IP address you're sending to is the same IP address that is assigned to one of the interfaces on the router then your packet will not be sent out the LAN interface. This is because when traversing the route tables, the first table, local, will match the packet. 
> 
> This problem seems rather complex at first. Assuming you don't change the local table at all you can accomplish what you want to do by adding in a second linux router. Basically you would run NAT and DMZ just like a normal network with private IPs. The DMZ would be assigned a space holder ip address, like 192.168.0.10. The second linux router would forward all traffic, except traffic that matched 192.168.0.10, for this traffic it would translate the IP address to the public IP address. This functionality can be condensed into one machine by adding two interfaces to the machine and building a bridge between the intefaces. By looping the LAN interface through this bride, you can then perform the DNAT as the traffic passes through the bridge. This requires the br-nf patch for 2.4 kernels (not required for 2.6). 
> 
> There is however a simpler solution. It didn't occur to me at first because I've never done it, and never had a need to. Anyway, you need to make two extra routing tables in /etc/iproute2/rt_tables. Call them local2 and dmz. You need to delete the public ip route from the local table and move it to the local2 table. Then you need to add a rule to the other table that looks like this:
> ip route add 2.2.2.2 dev eth1 table dmz
> 2.2.2.2 is your public ip, and eth1 is your lan interface. Change them for your setup.
> Now you need to add the rules to lookup these tables in the correct order. 
> ip rule add from all lookup local2
> ip rule add fwmark 1 lookup dmz
> 
> This will send any traffic with the public IP out over your lan interface _IF_ it is marked with the value 1. Otherwise it will operate just like normal. Now you should setup your NAT settings for the network. Set it up without anything speical for the DMZ. Do it as if there was no DMZ and you were just performing SNAT for the entire private network. 
> 
> Then, add the rule to mark traffic you want to go to the dmz. 
> 
> iptables -t mangle -A PREROUTING -d 2.2.2.2 -j MARK --set-mark 1
> 
> Pretty simple eh? I've never tested it, but in theory it should work. 
> 
> Hope that helps,
> - Matt

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Q: Routing the Same IP simultaneously on different

[Matthew Lowe]

Yes, you are right. After I posted that message, I realized I left out some parts that are probably not obvious enough to be left out. 

Packets originating at the DMZ going out will be routed correctly. No addtional work needs to be done to fix that. However, the return packets on those connections need to be identified and MARKed with value 1. It's important to take note that almost all packets are going to be MARKed already, since it is after all the DMZ. 

The real problem is connections originating from the router. The return packets on these connections will get forwarded to the DMZ. Now this may not be a problem at all, if you you don't want your router to be accessed from the outside world. In fact, we can take a page from software developers around the world and call this a feature. The device operates transparently by default :P 

The work around for this is rather complex and requires an additional interface on the private network side (using 192.168.0.24 in this example) as well as a kernel patch. The general idea is this, first we add a rule to the OUTPUT chain.

iptables -t mangle -A OUTPUT -j MARK --set-mark 2

All localy generated traffic will have a MARK of value 2. Now we must create another routing table called looper. Add the correct rule to lookup the table.

ip rule add fwmark 2 lookup looper.

We then take advantage of iproute's dummy nat.

ip rule add nat 192.168.0.24 fwmark 2

(Since we push rules on to the top of the rule list, we have to do it in this order.)

In the looper table we need to put two routes. First the network route for the internal network, and second the default gateway. There is one very important item in these routes, and that is, we are specifying our new interface (eth2). 

ip route add 192.168.0.0/24 dev eth2 src 192.168.0.24 table looper
ip route add default via 192.168.0.1 dev eth2 table looper

That's it for the routing and firewall rules. Now you need to rebuild the kernel, after patching it with the send-to-self patch. This patch will allow you to talk from 192.168.0.24 to 192.168.0.1 over the wire instead of internally through the kernel. I'm not 100% sure that you need to send the packet out over the wire. The deciding factor is whether or not the packet will pass through the POSTROUTING chain. If it does, it may be possible to eliminate the second interface all together. If you decide to eliminate the interface and give it a try, keep in mind you need to change the mark on the packet. This will do:

# Uncomment only if you are not using a third interface
#iptables -t mangle -A PREROUTING -m mark --mark 2 -j MARK --set-mark 0

Load up the new kernel. Add two lines to your firewall script:

echo 1 > /proc/sys/net/ipv4/conf/eth1/loop
echo 1 > /proc/sys/net/ipv4/conf/eth2/loop

And there you have it. Wow, what a mess. I guess it could be worse... it could look like my routing setup :P 

One more thing, on the DMZ client you have to specify the gateway as 192.168.0.1 and add a route into the routing table for 192.168.0.0/24. You might also have to make a few exceptions in the firewall if you have rules to prevent spoofing. 

I hope that covers it all,
Matt

----- Original Message -----
From: "Taylor, Grant" <gtaylor@riverviewtech.net>
Date: Wednesday, June 22, 2005 5:33 pm
Subject: Re: [LARTC] Q: Routing the Same IP simultaneously on	different computers ?

> Matt this is a very interesting idea, along the lines of a 
> solution that I did not want to try to get strait in my head.  The 
> question that I run in to is how does the system handle returning 
> (outbound) internet traffic from systems not in the DMZ?  The way 
> that I read and understand your idea I can't tell how the 
> returning traffic will not be sent to the DMZ.  Other than that I 
> think this idea is a very good one.
> 
> The idea that comes to my mind, but sadly will not work as I know 
> it, is to use EBTables to bridge the internet and LAN interface 
> and use the EBTables brouting table BROUTING chain to decide if 
> the traffic should be bridged or not based on a connection 
> tracking state, i.e. if the traffic is not related to any outbound 
> LAN traffic then bridge the traffic over to the DMZ server, if it 
> is related DROP the traffic in the BROUTING table which causes it 
> to be routed.  You would obviously need to have at least an 
> aliased interface on the LAN interface to do the routing with.  
> But I don't know of any match extension for EBTables that will 
> test based on whether or not the NetFilter Connection Tracking 
> code has seen the traffic or not.  However I think this would be a 
> useful match extension, and guessing I don't think it would be 
> hard to write though I am not qualified to do so or really speculate.
> 
> 
> 
> Grant. . . .


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Q: Routing the Same IP simultaneously on different

[Matthew Lowe]

I realize I sort of side stepped your original question and thought it deserved an answer, since it's a legitimate problem after all. You were on the right track, you had the right idea. The functionality is actually fairly new to iptables I believe. I can't even find it in my man pages, I have to google to get an up-to-date enough man page that has it. 

You have to change the DMZ rule to this:

iptables -t mangle -A PREROUTING -i eth0 -d 2.2.2.2 -m conntrack --ctorigsrc ! 192.168.0.0/24 -j MARK --set-mark 1

The addition of this conntrack match will prevent the matching of any packets that are return packets for connections originating from the internal network. When I negated the ctorigsrc argument on my router at home I was given an error "no argument following !". This is some sort of bug, perhaps fixed in a later version of the kernel. A simple work around is these two lines:

iptables -t mangle -A PREROUTING -i eth0 -d 2.2.2.2 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth0 -d 2.2.2.2 -m conntrack --ctorigsrc 192.168.0.0/24 -j MARK --set-mark 0


The conntrack match is a god send for me. I've got 6 connections to the internet, and load balancing and NAT setup for the private network. The problem with load balancing and NAT, is that you can't initiate a connection on one interface, and then switch over to a second interface later on since the IPs will have to change. The conntrack match allows you to determine which interface the data went out on to start the connection, and to continue using that interface for the rest of the connection. Without it, load balancing and NAT is very complicated.

Now I really hope that covers everything, 
Matt


----- Original Message -----
From: "Taylor, Grant" <gtaylor@riverviewtech.net>
Date: Wednesday, June 22, 2005 5:33 pm
Subject: Re: [LARTC] Q: Routing the Same IP simultaneously on	different computers ?

> Matt this is a very interesting idea, along the lines of a 
> solution that I did not want to try to get strait in my head.  The 
> question that I run in to is how does the system handle returning 
> (outbound) internet traffic from systems not in the DMZ?  The way 
> that I read and understand your idea I can't tell how the 
> returning traffic will not be sent to the DMZ.  Other than that I 
> think this idea is a very good one.
> 
> The idea that comes to my mind, but sadly will not work as I know 
> it, is to use EBTables to bridge the internet and LAN interface 
> and use the EBTables brouting table BROUTING chain to decide if 
> the traffic should be bridged or not based on a connection 
> tracking state, i.e. if the traffic is not related to any outbound 
> LAN traffic then bridge the traffic over to the DMZ server, if it 
> is related DROP the traffic in the BROUTING table which causes it 
> to be routed.  You would obviously need to have at least an 
> aliased interface on the LAN interface to do the routing with.  
> But I don't know of any match extension for EBTables that will 
> test based on whether or not the NetFilter Connection Tracking 
> code has seen the traffic or not.  However I think this would be a 
> useful match extension, and guessing I don't think it would be 
> hard to write though I am not qualified to do so or really speculate.
> 
> 
> 
> Grant. . . .
> 


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc