Newbie question about NAT and forwarding

Newbie question about NAT and forwarding

[felix]

I have a small network with a gateway machine which has two interfaces
to the internet.  One is (yes!) ppp0, a dialup account, the other is a
broadband connection.  Some of the network machines behind the gateway
have real static addresses, some have 192.168.* or similar local net
addresses.  The dialup account has static real addresses for those
local net machines which need internet access, but the broadband
connection gets its address dynamically from DHCP.  As much as it
would be nice to ditch the dialup account altogether, that is not
practical at the moment.

I would like all the local net machines to not be aware of there being
multiple connections, to route all SMTP traffic, both in and out, thru
the dialup account, and to route all other traffic thru the broadband
connection.

I think I know how to route based on the protocol.  For SMTP, that is
made easier by not needing to NAT anything.  But I need NAT for all
other traffic using the broadband connection, right? since it has only
a single synamically assigned DHCP address.  This is where I get
confused.

What iptables commands would I used to route non-SMTP packets between,
say, eth0 (local net, static real addresses) and eth1 (broadband DHCP)?

-- 
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

Re: Newbie question about NAT and forwarding

[Danny Rathjens]

felix@crowfix.com wrote:
> I have a small network with a gateway machine which has two interfaces
> to the internet.  One is (yes!) ppp0, a dialup account, the other is a
> broadband connection.  Some of the network machines behind the gateway
> have real static addresses, some have 192.168.* or similar local net
> addresses.  The dialup account has static real addresses for those
> local net machines which need internet access, but the broadband
> connection gets its address dynamically from DHCP.  As much as it
> would be nice to ditch the dialup account altogether, that is not
> practical at the moment.
> 
> I would like all the local net machines to not be aware of there being
> multiple connections, to route all SMTP traffic, both in and out, thru
> the dialup account, and to route all other traffic thru the broadband
> connection.
> 
> I think I know how to route based on the protocol.  For SMTP, that is
> made easier by not needing to NAT anything.  But I need NAT for all
> other traffic using the broadband connection, right? since it has only
> a single synamically assigned DHCP address.  This is where I get
> confused.
> 
> What iptables commands would I used to route non-SMTP packets between,
> say, eth0 (local net, static real addresses) and eth1 (broadband DHCP)?
 
I just did something similar.
Just follow normal procedure for NAT of traffc using and us broadband as default route:
route add default gw $broadband_gateway

Then you just need to route the smtp traffic through your dial-up.

iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 25 -j MARK --set-mark 2
echo 202 mail >> /etc/iproute2/rt_tables
ip rule add fwmark 2 table mail
ip route add default via $dialup_gateway dev eth0 table mail
ip route flush cache

Re: Newbie question about NAT and forwarding

[felix]

On Wed, Sep 06, 2006 at 06:24:34PM -0400, Danny Rathjens wrote:
> 
> Then you just need to route the smtp traffic through your dial-up.
> 
> echo 202 mail >> /etc/iproute2/rt_tables
> ip rule add fwmark 2 table mail
> ip route add default via $dialup_gateway dev eth0 table mail

I see I have mucho to learn -- I didn't even know about this
/etc/iproute2 directory.  It does look simple, but not at all what I
had thought of.  I must read up some more!

Thanks.

-- 
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

Re: Newbie question about NAT and forwarding

[Pascal Hambourg]

Hello,

Danny Rathjens a écrit :
> felix@crowfix.com wrote:
[...]
>> What iptables commands would I used to route non-SMTP packets between,
>> say, eth0 (local net, static real addresses) and eth1 (broadband DHCP)?
> 
> Just follow normal procedure for NAT of traffc using and us broadband as 
> default route:
> route add default gw $broadband_gateway

And for NAT :
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

MASQUERADE is because eth1's address is dynamic. Else SNAT could be used 
instead.

> Then you just need to route the smtp traffic through your dial-up.
> 
> iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 25 -j MARK 
> --set-mark 2
> echo 202 mail >> /etc/iproute2/rt_tables
> ip rule add fwmark 2 table mail
> ip route add default via $dialup_gateway dev eth0 table mail
                                            ^^^^^^^^
"dev ppp0" would be better IMHO.

If source address validation is enabled, don't forget to disable it on 
the non-default interface :

sysctl -w net/ipv4/conf/ppp0/rp_filter=0

If net/ipv4/conf/default/rp_filter=1, you'll have to do this every time 
after ppp0 is created. If net/ipv4/conf/default/rp_filter=0 before ppp0 
is created, net/ipv4/conf/ppp0/rp_filter will be automatically set to 0.

One remark : if there is SMTP traffic from a local host with a private 
address, this  traffic will be routed via ppp0 but must be NATed with 
any public address routed on the dialup link. If it is not NATed, it 
will go out with its original private source address and that's not good.

Note to Felix : you don't need to define and use a table name in 
/etc/iproute2/rt_tables. It just makes routes and routing rules more 
readable. You can use a table number in the range 1-252 instead.

Re: Newbie question about NAT and forwarding

[felix]

On Thu, Sep 07, 2006 at 01:52:34AM +0200, Pascal Hambourg wrote:

> Note to Felix : you don't need to define and use a table name in 
> /etc/iproute2/rt_tables. It just makes routes and routing rules more 
> readable. You can use a table number in the range 1-252 instead.

I've used table names with iptables commands in my shell scripts, but
I didn't know this /etc/iproute2 directory existed.  That's what I
need to read up on :-) I think an evening with man pages will be
helpful.

-- 
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

Re: Newbie question about NAT and forwarding

[Pascal Hambourg]

felix@crowfix.com a écrit :
> 
> I've used table names with iptables commands in my shell scripts, but
> I didn't know this /etc/iproute2 directory existed.

Huh ? AFAIK, iptables commands do not use routing tables. Can you give 
an example ?

Re: Newbie question about NAT and forwarding

[felix]

On Thu, Sep 07, 2006 at 03:37:33AM +0200, Pascal Hambourg wrote:
> felix@crowfix.com a ?crit :
> >
> >I've used table names with iptables commands in my shell scripts, but
> >I didn't know this /etc/iproute2 directory existed.
> 
> Huh ? AFAIK, iptables commands do not use routing tables. Can you give 
> an example ?

I am showing my newbie status.  Maybe I meant chain names?  Here is a
snippet I use to enable and disable ssh, with SSH being a table?chain?
name I can use in another script:

iptables -N SSH
iptables -A SSH -j LOG --log-prefix 'IPT: SSH: '
iptables -A SSH -j ACCEPT
iptables -A INPUT-TCP -p TCP -m multiport --dports ssh -j SSH

I knew I didn't know a lot about iptables -- it looks like I knew even
less than I thought!

-- 
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

Re: Newbie question about NAT and forwarding

[Pascal Hambourg]

felix@crowfix.com a écrit :
> On Thu, Sep 07, 2006 at 03:37:33AM +0200, Pascal Hambourg wrote:
> 
>>felix@crowfix.com a ?crit :
>>
>>>I've used table names with iptables commands in my shell scripts, but
>>>I didn't know this /etc/iproute2 directory existed.
>>
>>Huh ? AFAIK, iptables commands do not use routing tables. Can you give 
>>an example ?
> 
> I am showing my newbie status.  Maybe I meant chain names?

Someone using user-defined iptables chains cannot be a newbie. :-)

> Here is a
> snippet I use to enable and disable ssh, with SSH being a table?chain?
> name I can use in another script:
> 
> iptables -N SSH

Here "SSH" is a user-defined iptables chain in the default iptables 
table ("filter"). Routing tables and /etc/iproute2 are totally 
independant from iptables.

Re: Newbie question about NAT and forwarding

[felix]

On Thu, Sep 07, 2006 at 11:20:39AM +0200, Pascal Hambourg wrote:

> Routing tables and /etc/iproute2 are totally 
> independant from iptables.

Ahh, yes, I should have known that, probably do, but I was confused
for a moment.  OK, now I have two things to read up on.

-- 
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

Re: Newbie question about NAT and forwarding

[Danny Rathjens]

Pascal Hambourg wrote:
> Danny Rathjens a écrit :
>> ip route add default via $dialup_gateway dev eth0 table mail
> 
>                                            ^^^^^^^^
> "dev ppp0" would be better IMHO.

Yeah, was just a mistake.  I had cut and paste from my own setup
where eth0 is the alternate route to world and missed that when I
changed the paste to fit his setup.