How to change a packet's arriving interface? -j ROUTE?

How to change a packet's arriving interface? -j ROUTE?

[Jason Liao]

Hi,

I have a firewall running iptables with 3 interfaces: LAN, WAN and DMZ. 
The LAN IP address is 10.0.0.1/24, WAN 66.134.34.157/28, and DMZ
66.134.34.249/28.  The WAN interface connects to the Internet and the
DMZ interface connects to a stub network.

When someone sends a packet to the IP address of the DMZ interface from
the Internet, the packet x.x.x.x->66.134.34.249 arrives at the WAN
interface.  I want to know if there is a way using iptables (maybe with
other tools such as iproute2) to make this packet to appear as if it
arrives at the DMZ interface.  The packet itself should not be
modified.  I need this to work because I am running an IPSec VPN with
FreeS/WAN on the DMZ interface.  When the ESP packets arrives on the WAN
interface, they cannot be properly processed by IPSec because the ipsec0
interface is tied to the DMZ interface directly.  

I looked at the mangle table but could not figure out if it is the right
direction.  I read about the ROUTE target but do not know if this target
is for diverting packets to be sent OUT on another interface, or can it
be used to change a packet's arriving interface.

Thanks in advance.

Jason Liao

Re: How to change a packet's arriving interface? -j ROUTE?

[Cédric de Launois]

> I have a firewall running iptables with 3 interfaces: LAN, WAN and DMZ. 
> The LAN IP address is 10.0.0.1/24, WAN 66.134.34.157/28, and DMZ
> 66.134.34.249/28.  The WAN interface connects to the Internet and the
> DMZ interface connects to a stub network.
> 
> When someone sends a packet to the IP address of the DMZ interface from
> the Internet, the packet x.x.x.x->66.134.34.249 arrives at the WAN
> interface.  I want to know if there is a way using iptables (maybe with
> other tools such as iproute2) to make this packet to appear as if it
> arrives at the DMZ interface.  The packet itself should not be
> modified.  I need this to work because I am running an IPSec VPN with
> FreeS/WAN on the DMZ interface.  When the ESP packets arrives on the WAN
> interface, they cannot be properly processed by IPSec because the ipsec0
> interface is tied to the DMZ interface directly.  
> 
> I looked at the mangle table but could not figure out if it is the right
> direction.  I read about the ROUTE target but do not know if this target
> is for diverting packets to be sent OUT on another interface, or can it
> be used to change a packet's arriving interface.

With the ROUTE target, if you send a received packet to another
interface, it will go out through this interface and will not appear
as an incoming packet.

And if you use a rule such as :
iptables -A PREROUTING -t mangle -i eth0 -j ROUTE --to
<OTHER_IF__IP_ADDRESS>

then the packet will be sent through the local interface (this rule
tells the kernel to route the packet as if the destination IP address
was the address of the other interface).

Thus, at first look and as it is implemented now, the ROUTE target seems
to be unable to help you.

> 
> Thanks in advance.
> 
> Jason Liao
> 
> 

Cédric de Launois

Re: How to change a packet's arriving interface? -j ROUTE?

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 2425 bytes --]

Hi

Use SNAT on the POSTROUTING chain in the NAT table.

iptables -t nat -A POSTROUTING -d $NET_DMZ -j SNAT --to-source
$IP_DMZ_IFACE

also you would need a FORWARD rule to route the initial traffic:
iptables -A FORWARD -d $NET_DMZ -j ACCEPT

These are the least restrictive examples of possible rules. The above
assumes you have public ips in your DMZ.

Ray

On Fri, 2002-12-06 at 18:41, Jason Liao wrote:
> Hi,
> 
> I have a firewall running iptables with 3 interfaces: LAN, WAN and DMZ. 
> The LAN IP address is 10.0.0.1/24, WAN 66.134.34.157/28, and DMZ
> 66.134.34.249/28.  The WAN interface connects to the Internet and the
> DMZ interface connects to a stub network.
> 
> When someone sends a packet to the IP address of the DMZ interface from
> the Internet, the packet x.x.x.x->66.134.34.249 arrives at the WAN
> interface.  I want to know if there is a way using iptables (maybe with
> other tools such as iproute2) to make this packet to appear as if it
> arrives at the DMZ interface.  The packet itself should not be
> modified.  I need this to work because I am running an IPSec VPN with
> FreeS/WAN on the DMZ interface.  When the ESP packets arrives on the WAN
> interface, they cannot be properly processed by IPSec because the ipsec0
> interface is tied to the DMZ interface directly.  
> 
> I looked at the mangle table but could not figure out if it is the right
> direction.  I read about the ROUTE target but do not know if this target
> is for diverting packets to be sent OUT on another interface, or can it
> be used to change a packet's arriving interface.
> 
> Thanks in advance.
> 
> Jason Liao
-- 
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(  Raymond Leach                       )
 ) Knowledge Factory                  (
(                                      )
 ) Tel: +27 11 445 8100               (
(  Fax: +27 11 445 8101                )
 )                                    (
(  http://www.knowledgefactory.co.za/  )
 ) http://www.saptg.co.za/            (
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   o                                o
    o                              o
        .--.                  .--.
       | o_o|                |o_o |
       | \_:|                |:_/ |
      / /   \\              //   \ \
     ( |     |)            (|     | )
     /`\_   _/'\          /'\_   _/`\
     \___)=(___/          \___)=(___/

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: How to change a packet's arriving interface? -j ROUTE?

[Jason Liao]

Hi Ray,

Thank you for your reply, but maybe I was not clear in the original
post:  The destination of the incoming traffic is the firewall machine
itself, just the destination IP address is of the DMZ interface.  For
this reason, the FORWARD rule won't be checked because it is basically
INPUT traffic.  Another issue is that the traffic is IPSec so that any
change to the source address (SNAT) will break the IPSec authentication.

Thanks again for your suggestions.

Best regards,

Jason Liao

Raymond Leach wrote:
> 
> Hi
> 
> Use SNAT on the POSTROUTING chain in the NAT table.
> 
> iptables -t nat -A POSTROUTING -d $NET_DMZ -j SNAT --to-source
> $IP_DMZ_IFACE
> 
> also you would need a FORWARD rule to route the initial traffic:
> iptables -A FORWARD -d $NET_DMZ -j ACCEPT
> 
> These are the least restrictive examples of possible rules. The above
> assumes you have public ips in your DMZ.
> 
> Ray
> 
> On Fri, 2002-12-06 at 18:41, Jason Liao wrote:
> > Hi,
> >
> > I have a firewall running iptables with 3 interfaces: LAN, WAN and DMZ.
> > The LAN IP address is 10.0.0.1/24, WAN 66.134.34.157/28, and DMZ
> > 66.134.34.249/28.  The WAN interface connects to the Internet and the
> > DMZ interface connects to a stub network.
> >
> > When someone sends a packet to the IP address of the DMZ interface from
> > the Internet, the packet x.x.x.x->66.134.34.249 arrives at the WAN
> > interface.  I want to know if there is a way using iptables (maybe with
> > other tools such as iproute2) to make this packet to appear as if it
> > arrives at the DMZ interface.  The packet itself should not be
> > modified.  I need this to work because I am running an IPSec VPN with
> > FreeS/WAN on the DMZ interface.  When the ESP packets arrives on the WAN
> > interface, they cannot be properly processed by IPSec because the ipsec0
> > interface is tied to the DMZ interface directly.
> >
> > I looked at the mangle table but could not figure out if it is the right
> > direction.  I read about the ROUTE target but do not know if this target
> > is for diverting packets to be sent OUT on another interface, or can it
> > be used to change a packet's arriving interface.
> >
> > Thanks in advance.
> >
> > Jason Liao
> --

Re: How to change a packet's arriving interface? -j ROUTE?

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 2956 bytes --]

On Tue, 2002-12-10 at 03:32, Jason Liao wrote:
> Hi Ray,
> 
> Thank you for your reply, but maybe I was not clear in the original
> post:  The destination of the incoming traffic is the firewall machine
> itself, just the destination IP address is of the DMZ interface.  
Does that mean that the traffic is :-
a) coming in via the DMZ with a destination of the DMZ interface 
	or 
b) that the traffic is coming in via another interface (e.g. the
internal interface) with a destination of the DMZ interface.

In the case of a) there is :- INPUT, (maybe PREROUTING).
In the case of b) there is :- (maybe PREROUTING), INPUT, FORWARD, (maybe
POSTROUTING).
> For
> this reason, the FORWARD rule won't be checked because it is basically
> INPUT traffic.  Another issue is that the traffic is IPSec so that any
> change to the source address (SNAT) will break the IPSec authentication.
> 
Then this basically leaves you with either tunneling (isn't that what
IPSec is?) or pure routing (FORWARDing).

> Thanks again for your suggestions.
> 
> Best regards,
> 
> Jason Liao
> 
> Raymond Leach wrote:
> > 
> > Hi
> > 
> > Use SNAT on the POSTROUTING chain in the NAT table.
> > 
> > iptables -t nat -A POSTROUTING -d $NET_DMZ -j SNAT --to-source
> > $IP_DMZ_IFACE
> > 
> > also you would need a FORWARD rule to route the initial traffic:
> > iptables -A FORWARD -d $NET_DMZ -j ACCEPT
> > 
> > These are the least restrictive examples of possible rules. The above
> > assumes you have public ips in your DMZ.
> > 
> > Ray
> > 
> > On Fri, 2002-12-06 at 18:41, Jason Liao wrote:
> > > Hi,
> > >
> > > I have a firewall running iptables with 3 interfaces: LAN, WAN and DMZ.
> > > The LAN IP address is 10.0.0.1/24, WAN 66.134.34.157/28, and DMZ
> > > 66.134.34.249/28.  The WAN interface connects to the Internet and the
> > > DMZ interface connects to a stub network.
> > >
> > > When someone sends a packet to the IP address of the DMZ interface from
> > > the Internet, the packet x.x.x.x->66.134.34.249 arrives at the WAN
> > > interface.  I want to know if there is a way using iptables (maybe with
> > > other tools such as iproute2) to make this packet to appear as if it
> > > arrives at the DMZ interface.  The packet itself should not be
> > > modified.  I need this to work because I am running an IPSec VPN with
> > > FreeS/WAN on the DMZ interface.  When the ESP packets arrives on the WAN
> > > interface, they cannot be properly processed by IPSec because the ipsec0
> > > interface is tied to the DMZ interface directly.
> > >
> > > I looked at the mangle table but could not figure out if it is the right
> > > direction.  I read about the ROUTE target but do not know if this target
> > > is for diverting packets to be sent OUT on another interface, or can it
> > > be used to change a packet's arriving interface.
> > >
> > > Thanks in advance.
> > >
> > > Jason Liao
> > --

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]