nat throught different gateways

All of lore.kernel.org
 help / color / mirror / Atom feed

* nat throught different gateways
@ 2004-10-26  2:27 Christian Fassina Costa
  2004-10-26  3:43 ` Jason Opperisano
  0 siblings, 1 reply; 3+ messages in thread
From: Christian Fassina Costa @ 2004-10-26  2:27 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 1618 bytes --]

Hi ppl,

I have the following scenario:

A internal network 10.1.0.0/24
A gateway with 3 interfaces
eth0 adsl provided ip address
eth1 10.1.0.1 (internal network)
ppp0 192.168.0.234 (vpn to a foreign computer)
The host in the other end is doing NAT with iptables for all addresses.

What I'd like to do:

Since I have several computer in my LAN I'd like one of them to use ppp0
as output interface. I added a route to my internal network in the other
end of my vpn (route add -net 10.1.0.0/24 gw 192.168.0.234). 
If I add a static route, for instance: route add -host www.google.com gw
192.168.0.1, it works fine.

I tried adding an iptables rule as it follows:
iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o ppp0 -j MASQUERADE

I can successfully ping 192.168.0.1 but I figured out that the NAT is
not working as I expected (traffic going out via ppp0).

I even tried setting up an alias for my eth1 with a different network
10.2.0.1

then I set up my computer with the address 10.1.0.2 with default gw
10.2.0.1.

If I use the following rule:

iptables -t nat -A POSTROUTING -s 0/0 -o eth0 -j MASQUERADE

it works fine for me and the other computers in the 10.1.0.0 network.

Then I tried
iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.2.0.0/24 -o ppp0 -j MASQUERADE

I worked fine for the 10.1.0.0 network but no for the 10.2.0.0 network.

Does anyone know how to solve this issue? I also read some ip route
documentation but did not find anything suitable to solve this problem.

Regards,

Christian

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: nat throught different gateways
  2004-10-26  2:27 nat throught different gateways Christian Fassina Costa
@ 2004-10-26  3:43 ` Jason Opperisano
  2004-10-26  9:20   ` Christian Fassina Costa
  0 siblings, 1 reply; 3+ messages in thread
From: Jason Opperisano @ 2004-10-26  3:43 UTC (permalink / raw)
  To: netfilter

On Mon, 2004-10-25 at 22:27, Christian Fassina Costa wrote:
> Hi ppl,
> 
> I have the following scenario:
> 
> A internal network 10.1.0.0/24
> A gateway with 3 interfaces
> eth0 adsl provided ip address
> eth1 10.1.0.1 (internal network)
> ppp0 192.168.0.234 (vpn to a foreign computer)
> The host in the other end is doing NAT with iptables for all addresses.
> 
> What I'd like to do:
> 
> Since I have several computer in my LAN I'd like one of them to use ppp0
> as output interface. I added a route to my internal network in the other
> end of my vpn (route add -net 10.1.0.0/24 gw 192.168.0.234). 
> If I add a static route, for instance: route add -host www.google.com gw
> 192.168.0.1, it works fine.
> 
> I tried adding an iptables rule as it follows:
> iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o ppp0 -j MASQUERADE
> 
> I can successfully ping 192.168.0.1 but I figured out that the NAT is
> not working as I expected (traffic going out via ppp0).
> 
> I even tried setting up an alias for my eth1 with a different network
> 10.2.0.1
> 
> then I set up my computer with the address 10.1.0.2 with default gw
> 10.2.0.1.
> 
> If I use the following rule:
> 
> iptables -t nat -A POSTROUTING -s 0/0 -o eth0 -j MASQUERADE
> 
> it works fine for me and the other computers in the 10.1.0.0 network.
> 
> Then I tried
> iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE
> iptables -t nat -A POSTROUTING -s 10.2.0.0/24 -o ppp0 -j MASQUERADE
> 
> 
> I worked fine for the 10.1.0.0 network but no for the 10.2.0.0 network.
> 
> Does anyone know how to solve this issue? I also read some ip route
> documentation but did not find anything suitable to solve this problem.

is it safe to assume that the default gateway of your netfilter machine
is the ADSL router?

if so--follow the instructions at:
        http://lartc.org/howto/lartc.netfilter.html
to setup an alternate default route for the "special case."

something like this:

# create an alternate route lookup table
echo 201 ppp0.out >> /etc/iproute2/rt_tables

# add a routing rule based on a netfilter mark
ip rule add fwmark 1 table ppp0.out

# add a default route to the alternate table
ip route add default via 192.168.0.1 dev ppp0 table ppp0.out

# mark the packets from the special source machine to be routed over ppp0
iptables -t mangle -A PREROUTING -i eth1 -s $SPECIAL_MACHINE -j MARK --set-mark 1

# make sure our MASQ rules use the IP of the exit interface
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s -o ppp0 -j MASQUERADE

-j

-- 
Jason Opperisano <opie@817west.com>



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: nat throught different gateways
  2004-10-26  3:43 ` Jason Opperisano
@ 2004-10-26  9:20   ` Christian Fassina Costa
  0 siblings, 0 replies; 3+ messages in thread
From: Christian Fassina Costa @ 2004-10-26  9:20 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 3918 bytes --]


	Well, first of all thanks for the reply. Unfortunately it didn't work
:( Let me explain it better, my default route (eth0) gets its ip address
via dhcp spoofing. 
	My routing table looks like this

200.96.103.0    0.0.0.0         255.255.255.0   U     0      0        0
eth0
10.0.0.0        200.96.103.38   255.255.255.0   UG    0      0        0
eth0
10.1.0.0        0.0.0.0         255.255.255.0   U     0      0        0
eth1
0.0.0.0         10.0.0.138      0.0.0.0         UG    0      0        0
eth0

I even tried setting the nat interface as ppp0 unsuccessfully... I don't
know if there is some issue related to the fact that ppp0 is
encapsulated into eth0 and all the strange stuff I had to do to get my
dhcp spoofing working (route add -net 10.0.0.0/24 gw 200.96.103.38;
route add default gw 10.0.0.138 after getting the ip address via dhcp).

The procedure in the reply should work in my opinion but there must be
another problem.. I'll keep on trying, if anyone else could enlight I'd
appreciate :)


Regards,

Christian


On Tue, 2004-10-26 at 00:43, Jason Opperisano wrote:
> On Mon, 2004-10-25 at 22:27, Christian Fassina Costa wrote:
> > Hi ppl,
> > 
> > I have the following scenario:
> > 
> > A internal network 10.1.0.0/24
> > A gateway with 3 interfaces
> > eth0 adsl provided ip address
> > eth1 10.1.0.1 (internal network)
> > ppp0 192.168.0.234 (vpn to a foreign computer)
> > The host in the other end is doing NAT with iptables for all addresses.
> > 
> > What I'd like to do:
> > 
> > Since I have several computer in my LAN I'd like one of them to use ppp0
> > as output interface. I added a route to my internal network in the other
> > end of my vpn (route add -net 10.1.0.0/24 gw 192.168.0.234). 
> > If I add a static route, for instance: route add -host www.google.com gw
> > 192.168.0.1, it works fine.
> > 
> > I tried adding an iptables rule as it follows:
> > iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o ppp0 -j MASQUERADE
> > 
> > I can successfully ping 192.168.0.1 but I figured out that the NAT is
> > not working as I expected (traffic going out via ppp0).
> > 
> > I even tried setting up an alias for my eth1 with a different network
> > 10.2.0.1
> > 
> > then I set up my computer with the address 10.1.0.2 with default gw
> > 10.2.0.1.
> > 
> > If I use the following rule:
> > 
> > iptables -t nat -A POSTROUTING -s 0/0 -o eth0 -j MASQUERADE
> > 
> > it works fine for me and the other computers in the 10.1.0.0 network.
> > 
> > Then I tried
> > iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -o eth0 -j MASQUERADE
> > iptables -t nat -A POSTROUTING -s 10.2.0.0/24 -o ppp0 -j MASQUERADE
> > 
> > 
> > I worked fine for the 10.1.0.0 network but no for the 10.2.0.0 network.
> > 
> > Does anyone know how to solve this issue? I also read some ip route
> > documentation but did not find anything suitable to solve this problem.
> 
> is it safe to assume that the default gateway of your netfilter machine
> is the ADSL router?
> 
> if so--follow the instructions at:
>         http://lartc.org/howto/lartc.netfilter.html
> to setup an alternate default route for the "special case."
> 
> something like this:
> 
> # create an alternate route lookup table
> echo 201 ppp0.out >> /etc/iproute2/rt_tables
> 
> # add a routing rule based on a netfilter mark
> ip rule add fwmark 1 table ppp0.out
> 
> # add a default route to the alternate table
> ip route add default via 192.168.0.1 dev ppp0 table ppp0.out
> 
> # mark the packets from the special source machine to be routed over ppp0
> iptables -t mangle -A PREROUTING -i eth1 -s $SPECIAL_MACHINE -j MARK --set-mark 1
> 
> # make sure our MASQ rules use the IP of the exit interface
> iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
> iptables -t nat -A POSTROUTING -s -o ppp0 -j MASQUERADE
> 
> -j
-- 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2004-10-26  9:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-10-26  2:27 nat throught different gateways Christian Fassina Costa
2004-10-26  3:43 ` Jason Opperisano
2004-10-26  9:20   ` Christian Fassina Costa

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.