How to send all packets to a router

How to send all packets to a router

[Karina]

Hi, i have this problem..

I have an iptables-box, that is the default gateway for all my internal
addresses, after this box all the packets are sending to my main router.
But now, I need to send one of my internal Class C to another router
instead of the main one.

I try with this line:

$IPTABLES -T NAT -a PREROUTING -i eth0 -s $THISCLASS -j DNAT --to
other.router.ip

but it seems this is not working.

If i setup a computer and i put as gateway directly the new router ip
all works. But , if i setup this same comptuer and i put as gateway my
iptables-box (all the computers have this settings) this doesn't work.
The packets sent by my other ip addresses are going to main router as
usual, but the other class is not going to the alternate router.

Any ideas ?

Re: How to send all packets to a router

[Karina]

I don't think the location of the rule is the problem. It seems that this line
is changing the final destination ip, instead of setting a next hop for my
route, i think this because if i ping an external host as yahoo, the ping
command returns me values or <10 ms , that are exactly the same values for the
ping for the alternate router. So the ping is not reaching yahoo, it seems is
reaching only the router as a final destination, instead of routing the
packets.


Karina.


Alistair Tonner wrote:

> On February 24, 2002 12:18 pm, Karina wrote:
> > Hi, i have this problem..
> >
> > I have an iptables-box, that is the default gateway for all my internal
> > addresses, after this box all the packets are sending to my main router.
> > But now, I need to send one of my internal Class C to another router
> > instead of the main one.
> >
> > I try with this line:
> >
> > $IPTABLES -T NAT -a PREROUTING -i eth0 -s $THISCLASS -j DNAT --to
> > other.router.ip
> >
> > but it seems this is not working.
> >
> > If i setup a computer and i put as gateway directly the new router ip
> > all works. But , if i setup this same comptuer and i put as gateway my
> > iptables-box (all the computers have this settings) this doesn't work.
> > The packets sent by my other ip addresses are going to main router as
> > usual, but the other class is not going to the alternate router.
> >
> > Any ideas ?
>
>         Perhaps you have the order of the NAT rules incorrect?
>         This rule should occurr in the table *before* the default one
>         that routes the rest of your network.
>
>         Alistair

--
LSCI Karina Gómez Salgado
mailto:kgs@acabtu.com.mx
Systems Administrator & Web Projects Manager

BTU Comunicación, S.A. de C.V.

Re: How to send all packets to a router

[Alistair Tonner]

On February 24, 2002 12:18 pm, Karina wrote:
> Hi, i have this problem..
>
> I have an iptables-box, that is the default gateway for all my internal
> addresses, after this box all the packets are sending to my main router.
> But now, I need to send one of my internal Class C to another router
> instead of the main one.
>
> I try with this line:
>
> $IPTABLES -T NAT -a PREROUTING -i eth0 -s $THISCLASS -j DNAT --to
> other.router.ip
>
> but it seems this is not working.
>
> If i setup a computer and i put as gateway directly the new router ip
> all works. But , if i setup this same comptuer and i put as gateway my
> iptables-box (all the computers have this settings) this doesn't work.
> The packets sent by my other ip addresses are going to main router as
> usual, but the other class is not going to the alternate router.
>
> Any ideas ?

	Perhaps you have the order of the NAT rules incorrect?
	This rule should occurr in the table *before* the default one
	that routes the rest of your network.

	Alistair

Re: How to send all packets to a router

[Joel Newkirk]

On Sunday 24 February 2002 12:18 pm, Karina wrote:
> Hi, i have this problem..
>
> I have an iptables-box, that is the default gateway for all my
> internal addresses, after this box all the packets are sending to my
> main router. But now, I need to send one of my internal Class C to
> another router instead of the main one.
>
> I try with this line:
>
> $IPTABLES -T NAT -a PREROUTING -i eth0 -s $THISCLASS -j DNAT --to
> other.router.ip
>
> but it seems this is not working.
>
> If i setup a computer and i put as gateway directly the new router ip
> all works. But , if i setup this same comptuer and i put as gateway my
> iptables-box (all the computers have this settings) this doesn't work.
> The packets sent by my other ip addresses are going to main router as
> usual, but the other class is not going to the alternate router.
>
> Any ideas ?

Yep.  DNAT changes the destination, the FINAL destination.  Everything 
you DNAT with this rule is sent TO the router, not THROUGH the router.

You want to work with routing instead of NAT, because you only want to 
change the route used to reach that destination.  The Linux Advanced 
Routing and Traffic Control Howto ( http://lartc.org/howto ) has a 
helpful section "Routing for Multiple Uplinks" at 
http://lartc.org/howto/lartc.rpdb.multiple-links.html that should tell 
you what you want.  

Basically you need to create 2 routing tables, with an upstream router as 
the default route in each.  Make the 'main' router the overall default, 
and the secondary router has a rule that sends specific traffic to it.  
You can source-route ("Prev" from the Multiple-Uplink section linked 
above) just with the routing configuration, or you can use the MARK 
target in mangle PREROUTING with iptables to flag the traffic destined 
for it, and then set up a routing rule based on the fwmark, as explained 
in http://lartc.org/howto/lartc.netfilter.html .  From what you 
outlined, source routing is your simplest solution, and won't directly 
involve iptables at all.  MARK is more useful in situations where you 
need to send specific types of traffic, rather than specific sources, 
through a different route.

j

Re: How to send all packets to a router

[John Covici]

I have sort of a combination problem of this type.  I did the routes
in section 4.2 of the Advanced Routing HOwTO and that was OK, but now
I need to have everything go out interface ppp0 except mail which
must go out eth1 and I need whatever goes out eth1to have a certain 
ip address and whatever goes out ppp0 to have a certain ip address.

What I did was to use table mail.out like in the example in the
howto like this:
ip rule add fwmark 1 table mail.out||exit 1
ip route add default via <remote gateway for eth1>  dev eth1 table mail.out||exit 1
Then I issued the following iptable commands

iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 25 -j MARK --set-mark 1
iptables -t nat -A POSTROUTING -o eth1 -j SNAT -p tcp --sport 25 --to <ip address for eth1>
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to <ip address for ppp0>

I thought I would need something for the output chain as well, but I
kept getting invalid argument when I tried to put the same rule into
the output chain like the one I put into the POSTROUTING chain.

So what am I doing wrong here?

Thanks.



on Mon, 24 Feb 2003 22:11:38 -0500 Joel Newkirk <netfilter@newkirk.us> wrote:

>
> Yep.  DNAT changes the destination, the FINAL destination.  Everything 
> you DNAT with this rule is sent TO the router, not THROUGH the router.
>
> You want to work with routing instead of NAT, because you only want to 
> change the route used to reach that destination.  The Linux Advanced 
> Routing and Traffic Control Howto ( http://lartc.org/howto ) has a 
> helpful section "Routing for Multiple Uplinks" at 
> http://lartc.org/howto/lartc.rpdb.multiple-links.html that should tell 
> you what you want.  
>
> Basically you need to create 2 routing tables, with an upstream router as 
> the default route in each.  Make the 'main' router the overall default, 
> and the secondary router has a rule that sends specific traffic to it.  
> You can source-route ("Prev" from the Multiple-Uplink section linked 
> above) just with the routing configuration, or you can use the MARK 
> target in mangle PREROUTING with iptables to flag the traffic destined 
> for it, and then set up a routing rule based on the fwmark, as explained 
> in http://lartc.org/howto/lartc.netfilter.html .  From what you 
> outlined, source routing is your simplest solution, and won't directly 
> involve iptables at all.  MARK is more useful in situations where you 
> need to send specific types of traffic, rather than specific sources, 
> through a different route.
>
> j

-- 
         John Covici
         covici@ccs.covici.com

Re: How to send all packets to a router

[Ian Morgan]

On Mon, 31 Mar 2003, John Covici wrote:

> iptables -t nat -A POSTROUTING -o eth1 -j SNAT -p tcp --sport 25 --to <ip address for eth1>
> iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to <ip address for ppp0>
> 
> I thought I would need something for the output chain as well, but I
> kept getting invalid argument when I tried to put the same rule into
> the output chain like the one I put into the POSTROUTING chain.
> 
> So what am I doing wrong here?

I've noticed that for every release in the 2.4.21-pre series, I have to
rebuild iptables, otherwise I get "invalid argument" on the SNAT rules.
_VERY_ annoying. A simple rebuild solves the prob though.

Regards,
Ian Morgan

-- 
-------------------------------------------------------------------
 Ian E. Morgan          Vice President & C.O.O.       Webcon, Inc.
 imorgan@webcon.ca          PGP: #2DA40D07           www.webcon.ca
    *  Customized Linux network solutions for your business  *
-------------------------------------------------------------------

Re: How to send all packets to a router

[John covici]

Turns out that the whole thing works if I take rp_filter off that
interface and omit the tcp rule from the POSTROUTING chain.  Strange!

on Sunday 04/06/2003 Ian Morgan(imorgan@webcon.ca) wrote
 > On Mon, 31 Mar 2003, John Covici wrote:
 > 
 > > iptables -t nat -A POSTROUTING -o eth1 -j SNAT -p tcp --sport 25 --to <ip address for eth1>
 > > iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to <ip address for ppp0>
 > > 
 > > I thought I would need something for the output chain as well, but I
 > > kept getting invalid argument when I tried to put the same rule into
 > > the output chain like the one I put into the POSTROUTING chain.
 > > 
 > > So what am I doing wrong here?
 > 
 > I've noticed that for every release in the 2.4.21-pre series, I have to
 > rebuild iptables, otherwise I get "invalid argument" on the SNAT rules.
 > _VERY_ annoying. A simple rebuild solves the prob though.
 > 
 > Regards,
 > Ian Morgan
 > 
 > -- 
 > -------------------------------------------------------------------
 >  Ian E. Morgan          Vice President & C.O.O.       Webcon, Inc.
 >  imorgan@webcon.ca          PGP: #2DA40D07           www.webcon.ca
 >     *  Customized Linux network solutions for your business  *
 > -------------------------------------------------------------------

-- 
         John Covici
         covici@ccs.covici.com