From: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
To: Kevin Hilscher <KHilscher@Hatsize.com>
Cc: Netfilter users list <netfilter@lists.netfilter.org>
Subject: Re: Duplicate IP scenario. Doable with iptables?
Date: Fri, 26 Nov 2004 23:04:53 -0500 [thread overview]
Message-ID: <1101528293.2019.26.camel@localhost> (raw)
In-Reply-To: <s1a330bd.064@mail2.hatsize.com>
On Tue, 2004-11-23 at 14:44, Kevin Hilscher wrote:
> I have a somewhat odd scenario that requires the same pools of 192.168
> IPs to be bound to eth1 and eth2 on the same machine. I need to NAT
> another pool of 10.x.x.x IPs bound to eth0 to these two pools of 192.168
> IPs. The setup is as follows:
>
> eth0:10.115.0.1/16 -> eth1:192.168.0.1/24
> eth0:10.115.0.2/16 -> eth1:192.168.0.2/24
> eth0:10.115.0.3/16 -> eth1:192.168.0.3/24
> eth0:10.115.0.4/16 -> eth1:192.168.0.4/24
> eth0:10.115.0.5/16 -> eth1:192.168.0.5/24
> eth0:10.115.0.6/16 -> eth1:192.168.0.6/24
>
> eth0:10.116.0.1/16 -> eth2:192.168.0.1/24
> eth0:10.116.0.2/16 -> eth2:192.168.0.2/24
> eth0:10.116.0.3/16 -> eth2:192.168.0.3/24
> eth0:10.116.0.4/16 -> eth2:192.168.0.4/24
> eth0:10.116.0.5/16 -> eth2:192.168.0.5/24
> eth0:10.116.0.6/16 -> eth2:192.168.0.6/24
>
> Suse 8.1 has no problem letting me bind the same IPs to eth1 and eth2,
> since eth1 and eth2 are not on the same physical network. However, I am
> having problems writing my NAT rules for this scenario.
>
> Is this scenario doable under iptables?
>
> TIA,
>
> Kevin
Hmmm . . . that's an interesting one. Let's break it into SNAT and
DNAT. I think you will be able to keep the packets straight in DNAT by
specifying the inbound interface, e.g.,
iptables -t nat -A PREROUTING -i eth2 -d 192.168.0.1/24 -j DNAT
--to-destination 10.116.0.1
On SNAT, we can keep the packets straight based upon source, e.g.,
iptables -t nat -A POSTROUTING -s 10.116.0.6 -j SNAT --to-source
192.168.0.6
but I'm not sure how one makes sure the packet goes out eth2 rather than
eth1. I think the interface decision has already been made but I'm not
sure. If it has been, I wonder if one could use policy routing in
iproute2 to make it work. One could set up a rule to route to an
interface based upon source. It might be worth a try. Good luck - John
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
next prev parent reply other threads:[~2004-11-27 4:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-23 19:44 Duplicate IP scenario. Doable with iptables? Kevin Hilscher
2004-11-23 19:50 ` Jason Opperisano
2004-11-27 4:04 ` John A. Sullivan III [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-11-23 19:28 Kevin Hilscher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1101528293.2019.26.camel@localhost \
--to=john.sullivan@nexusmgmt.com \
--cc=KHilscher@Hatsize.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.