* How to change a packet's arriving interface? -j ROUTE? @ 2002-12-06 16:41 Jason Liao 2002-12-06 17:27 ` Cédric de Launois 2002-12-09 5:32 ` Raymond Leach 0 siblings, 2 replies; 5+ messages in thread From: Jason Liao @ 2002-12-06 16:41 UTC (permalink / raw) To: netfilter; +Cc: delaunois Hi, I have a firewall running iptables with 3 interfaces: LAN, WAN and DMZ. The LAN IP address is 10.0.0.1/24, WAN 66.134.34.157/28, and DMZ 66.134.34.249/28. The WAN interface connects to the Internet and the DMZ interface connects to a stub network. When someone sends a packet to the IP address of the DMZ interface from the Internet, the packet x.x.x.x->66.134.34.249 arrives at the WAN interface. I want to know if there is a way using iptables (maybe with other tools such as iproute2) to make this packet to appear as if it arrives at the DMZ interface. The packet itself should not be modified. I need this to work because I am running an IPSec VPN with FreeS/WAN on the DMZ interface. When the ESP packets arrives on the WAN interface, they cannot be properly processed by IPSec because the ipsec0 interface is tied to the DMZ interface directly. I looked at the mangle table but could not figure out if it is the right direction. I read about the ROUTE target but do not know if this target is for diverting packets to be sent OUT on another interface, or can it be used to change a packet's arriving interface. Thanks in advance. Jason Liao ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How to change a packet's arriving interface? -j ROUTE? 2002-12-06 16:41 How to change a packet's arriving interface? -j ROUTE? Jason Liao @ 2002-12-06 17:27 ` Cédric de Launois 2002-12-09 5:32 ` Raymond Leach 1 sibling, 0 replies; 5+ messages in thread From: Cédric de Launois @ 2002-12-06 17:27 UTC (permalink / raw) To: Jason Liao; +Cc: Netfilter Development Mailinglist > I have a firewall running iptables with 3 interfaces: LAN, WAN and DMZ. > The LAN IP address is 10.0.0.1/24, WAN 66.134.34.157/28, and DMZ > 66.134.34.249/28. The WAN interface connects to the Internet and the > DMZ interface connects to a stub network. > > When someone sends a packet to the IP address of the DMZ interface from > the Internet, the packet x.x.x.x->66.134.34.249 arrives at the WAN > interface. I want to know if there is a way using iptables (maybe with > other tools such as iproute2) to make this packet to appear as if it > arrives at the DMZ interface. The packet itself should not be > modified. I need this to work because I am running an IPSec VPN with > FreeS/WAN on the DMZ interface. When the ESP packets arrives on the WAN > interface, they cannot be properly processed by IPSec because the ipsec0 > interface is tied to the DMZ interface directly. > > I looked at the mangle table but could not figure out if it is the right > direction. I read about the ROUTE target but do not know if this target > is for diverting packets to be sent OUT on another interface, or can it > be used to change a packet's arriving interface. With the ROUTE target, if you send a received packet to another interface, it will go out through this interface and will not appear as an incoming packet. And if you use a rule such as : iptables -A PREROUTING -t mangle -i eth0 -j ROUTE --to <OTHER_IF__IP_ADDRESS> then the packet will be sent through the local interface (this rule tells the kernel to route the packet as if the destination IP address was the address of the other interface). Thus, at first look and as it is implemented now, the ROUTE target seems to be unable to help you. > > Thanks in advance. > > Jason Liao > > Cédric de Launois ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How to change a packet's arriving interface? -j ROUTE? 2002-12-06 16:41 How to change a packet's arriving interface? -j ROUTE? Jason Liao 2002-12-06 17:27 ` Cédric de Launois @ 2002-12-09 5:32 ` Raymond Leach 2002-12-10 1:32 ` Jason Liao 1 sibling, 1 reply; 5+ messages in thread From: Raymond Leach @ 2002-12-09 5:32 UTC (permalink / raw) To: Netfilter Mailing List [-- Attachment #1: Type: text/plain, Size: 2425 bytes --] Hi Use SNAT on the POSTROUTING chain in the NAT table. iptables -t nat -A POSTROUTING -d $NET_DMZ -j SNAT --to-source $IP_DMZ_IFACE also you would need a FORWARD rule to route the initial traffic: iptables -A FORWARD -d $NET_DMZ -j ACCEPT These are the least restrictive examples of possible rules. The above assumes you have public ips in your DMZ. Ray On Fri, 2002-12-06 at 18:41, Jason Liao wrote: > Hi, > > I have a firewall running iptables with 3 interfaces: LAN, WAN and DMZ. > The LAN IP address is 10.0.0.1/24, WAN 66.134.34.157/28, and DMZ > 66.134.34.249/28. The WAN interface connects to the Internet and the > DMZ interface connects to a stub network. > > When someone sends a packet to the IP address of the DMZ interface from > the Internet, the packet x.x.x.x->66.134.34.249 arrives at the WAN > interface. I want to know if there is a way using iptables (maybe with > other tools such as iproute2) to make this packet to appear as if it > arrives at the DMZ interface. The packet itself should not be > modified. I need this to work because I am running an IPSec VPN with > FreeS/WAN on the DMZ interface. When the ESP packets arrives on the WAN > interface, they cannot be properly processed by IPSec because the ipsec0 > interface is tied to the DMZ interface directly. > > I looked at the mangle table but could not figure out if it is the right > direction. I read about the ROUTE target but do not know if this target > is for diverting packets to be sent OUT on another interface, or can it > be used to change a packet's arriving interface. > > Thanks in advance. > > Jason Liao -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ( Raymond Leach ) ) Knowledge Factory ( ( ) ) Tel: +27 11 445 8100 ( ( Fax: +27 11 445 8101 ) ) ( ( http://www.knowledgefactory.co.za/ ) ) http://www.saptg.co.za/ ( ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ o o o o .--. .--. | o_o| |o_o | | \_:| |:_/ | / / \\ // \ \ ( | |) (| | ) /`\_ _/'\ /'\_ _/`\ \___)=(___/ \___)=(___/ [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How to change a packet's arriving interface? -j ROUTE? 2002-12-09 5:32 ` Raymond Leach @ 2002-12-10 1:32 ` Jason Liao 2002-12-10 5:23 ` Raymond Leach 0 siblings, 1 reply; 5+ messages in thread From: Jason Liao @ 2002-12-10 1:32 UTC (permalink / raw) To: raymondl; +Cc: netfilter Hi Ray, Thank you for your reply, but maybe I was not clear in the original post: The destination of the incoming traffic is the firewall machine itself, just the destination IP address is of the DMZ interface. For this reason, the FORWARD rule won't be checked because it is basically INPUT traffic. Another issue is that the traffic is IPSec so that any change to the source address (SNAT) will break the IPSec authentication. Thanks again for your suggestions. Best regards, Jason Liao Raymond Leach wrote: > > Hi > > Use SNAT on the POSTROUTING chain in the NAT table. > > iptables -t nat -A POSTROUTING -d $NET_DMZ -j SNAT --to-source > $IP_DMZ_IFACE > > also you would need a FORWARD rule to route the initial traffic: > iptables -A FORWARD -d $NET_DMZ -j ACCEPT > > These are the least restrictive examples of possible rules. The above > assumes you have public ips in your DMZ. > > Ray > > On Fri, 2002-12-06 at 18:41, Jason Liao wrote: > > Hi, > > > > I have a firewall running iptables with 3 interfaces: LAN, WAN and DMZ. > > The LAN IP address is 10.0.0.1/24, WAN 66.134.34.157/28, and DMZ > > 66.134.34.249/28. The WAN interface connects to the Internet and the > > DMZ interface connects to a stub network. > > > > When someone sends a packet to the IP address of the DMZ interface from > > the Internet, the packet x.x.x.x->66.134.34.249 arrives at the WAN > > interface. I want to know if there is a way using iptables (maybe with > > other tools such as iproute2) to make this packet to appear as if it > > arrives at the DMZ interface. The packet itself should not be > > modified. I need this to work because I am running an IPSec VPN with > > FreeS/WAN on the DMZ interface. When the ESP packets arrives on the WAN > > interface, they cannot be properly processed by IPSec because the ipsec0 > > interface is tied to the DMZ interface directly. > > > > I looked at the mangle table but could not figure out if it is the right > > direction. I read about the ROUTE target but do not know if this target > > is for diverting packets to be sent OUT on another interface, or can it > > be used to change a packet's arriving interface. > > > > Thanks in advance. > > > > Jason Liao > -- ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: How to change a packet's arriving interface? -j ROUTE? 2002-12-10 1:32 ` Jason Liao @ 2002-12-10 5:23 ` Raymond Leach 0 siblings, 0 replies; 5+ messages in thread From: Raymond Leach @ 2002-12-10 5:23 UTC (permalink / raw) To: Jason Liao; +Cc: Netfilter Mailing List [-- Attachment #1: Type: text/plain, Size: 2956 bytes --] On Tue, 2002-12-10 at 03:32, Jason Liao wrote: > Hi Ray, > > Thank you for your reply, but maybe I was not clear in the original > post: The destination of the incoming traffic is the firewall machine > itself, just the destination IP address is of the DMZ interface. Does that mean that the traffic is :- a) coming in via the DMZ with a destination of the DMZ interface or b) that the traffic is coming in via another interface (e.g. the internal interface) with a destination of the DMZ interface. In the case of a) there is :- INPUT, (maybe PREROUTING). In the case of b) there is :- (maybe PREROUTING), INPUT, FORWARD, (maybe POSTROUTING). > For > this reason, the FORWARD rule won't be checked because it is basically > INPUT traffic. Another issue is that the traffic is IPSec so that any > change to the source address (SNAT) will break the IPSec authentication. > Then this basically leaves you with either tunneling (isn't that what IPSec is?) or pure routing (FORWARDing). > Thanks again for your suggestions. > > Best regards, > > Jason Liao > > Raymond Leach wrote: > > > > Hi > > > > Use SNAT on the POSTROUTING chain in the NAT table. > > > > iptables -t nat -A POSTROUTING -d $NET_DMZ -j SNAT --to-source > > $IP_DMZ_IFACE > > > > also you would need a FORWARD rule to route the initial traffic: > > iptables -A FORWARD -d $NET_DMZ -j ACCEPT > > > > These are the least restrictive examples of possible rules. The above > > assumes you have public ips in your DMZ. > > > > Ray > > > > On Fri, 2002-12-06 at 18:41, Jason Liao wrote: > > > Hi, > > > > > > I have a firewall running iptables with 3 interfaces: LAN, WAN and DMZ. > > > The LAN IP address is 10.0.0.1/24, WAN 66.134.34.157/28, and DMZ > > > 66.134.34.249/28. The WAN interface connects to the Internet and the > > > DMZ interface connects to a stub network. > > > > > > When someone sends a packet to the IP address of the DMZ interface from > > > the Internet, the packet x.x.x.x->66.134.34.249 arrives at the WAN > > > interface. I want to know if there is a way using iptables (maybe with > > > other tools such as iproute2) to make this packet to appear as if it > > > arrives at the DMZ interface. The packet itself should not be > > > modified. I need this to work because I am running an IPSec VPN with > > > FreeS/WAN on the DMZ interface. When the ESP packets arrives on the WAN > > > interface, they cannot be properly processed by IPSec because the ipsec0 > > > interface is tied to the DMZ interface directly. > > > > > > I looked at the mangle table but could not figure out if it is the right > > > direction. I read about the ROUTE target but do not know if this target > > > is for diverting packets to be sent OUT on another interface, or can it > > > be used to change a packet's arriving interface. > > > > > > Thanks in advance. > > > > > > Jason Liao > > -- [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2002-12-10 5:23 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2002-12-06 16:41 How to change a packet's arriving interface? -j ROUTE? Jason Liao 2002-12-06 17:27 ` Cédric de Launois 2002-12-09 5:32 ` Raymond Leach 2002-12-10 1:32 ` Jason Liao 2002-12-10 5:23 ` Raymond Leach
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.