From: Patrick McHardy <kaber@trash.net>
To: Ian Latter <Ian.Latter@mq.edu.au>
Cc: dragon_nlt@yahoo.com, netfilter-devel@lists.netfilter.org
Subject: Re: Transparent broadband network connectivity (IP PnP)
Date: Fri, 14 Mar 2003 00:32:56 +0100 [thread overview]
Message-ID: <3E711528.4040502@trash.net> (raw)
In-Reply-To: <200303132244.h2DMisD16238@singularity.tronunltd.com>
I still think my suggestion is a lot easier, as i understood him he already
got so far that the clients can send packet to the internet, they are SNATed
and reply packet reach the NAT box which DNATs them back automatically.
With a simple iptables rule packet can be directed to the client-network:
iptables -A PREROUTING -i eth1 -m conntrack --orig-dst <eth0-ip> -j
ROUTE --oif eth1
Only thing left to do is make linux send arp requests for the client ips
on eth1,
im unsure how this can be achieved or if anything needs to be done at all.
Patrick
Ian Latter wrote:
>Clarifying this ... correcting 1 and 2 below;
>
> Once they're at the linux router/firewall doohicky, they can then
>be universally NATed .... but then you've got a problem ... because
>the linux box, doing layer-3 routing, will send user data back to the
>internet. You can fix this by doing one of two things;
>
> 1. Whatever does the arp spoofing to correct the routing, should
> also rarp the ips of the macs currently asking for arps. This
> would allow you to layer-2 correct/align the linux box. ie;
> rarp on 10.1.1.99 = US:ER:1M:AC
> rarp on 192.168.27.149 = US:ER:2M:AC
> rarp on 1.2.3.200 = US:ER:3M:AC
> (users[1-n]) --- [linux1/router/fw] -- (net)
> This linux box would have a default (l3) route to the net.
>
> 2. You could use two linux boxes. The first (closest to the users)
> would have to do all of the layer 2 work - and then forward (bridge)
> traffic to the second. The second would have to do ip NATing
> when matching the traffic from the MAC of the first ... I think ... I
> haven't done any layer 2 stuff in iptables. Ie;
> (users[1-n]) --- [linux1/l2bridge] -x- [linux2/router/fw] -- (net)
> The second linux box has default (l3) route of the net, it would
> reply to traffic from the outer interface mac address of the first
> linux box.
>
>
> Option 1 looks easy enough to do ... and seems cooler .. but option
>2 might let you get away with doing this without writing a scrap of
>code ... dunno ... check the kernel options and supporting software
>for the layer 2 stuff .. and if iptables' match on mac will do what we
>want then you're set.
>
>
>
>
>
next prev parent reply other threads:[~2003-03-13 23:32 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-13 21:44 Transparent broadband network connectivity (IP PnP) Ian Latter
2003-03-13 23:32 ` Patrick McHardy [this message]
2003-03-17 14:36 ` John Duke
2003-03-17 17:14 ` Cedric de Launois
-- strict thread matches above, loose matches on Subject: below --
2003-03-14 0:36 Ian Latter
2003-03-13 20:37 Ian Latter
[not found] <5.2.0.9.2.20030313100719.01f73bc0@216.136.173.10>
2003-03-13 9:08 ` Harald Welte
2003-03-13 18:18 ` Ilguiz Latypov
2003-03-13 19:19 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E711528.4040502@trash.net \
--to=kaber@trash.net \
--cc=Ian.Latter@mq.edu.au \
--cc=dragon_nlt@yahoo.com \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.