Is this possible?

Is this possible?

[Fisher Alex]

Hi.

I'll do my best to explain what I'm trying to acheive with a linux box 
and 3 NICS.

I have two sets of systems.  Each system has about 30 IP addresses 
spread across various bits of hardware.  The two systems are identical 
(ie have the same 30 IP addresses).  The addresses are all part of the 
class C subnet 192.168.0.*

The IP addresses for each system are now set in stone and can't be 
changed.  Furthermore, similar addresses are already in use on our network.

I've been given a set of IP addresses I CAN use (172.26.158.*)

A diagram might help here ...

   -----------        -----------------
   - System1 ---------|eth1            |
   -----------        |                |
                      |  Linux Router  |
                      |            eth0|------------Rest of the network
                      |                |
   -----------        |                |
   - System2 ---------|eth2            |
   -----------        ------------------

I also have an address I can use for eth0 which will make the router 
visible from machines on the rest of the network.  This can be set as 
the default gateway for connections to the 172.26.158.* subnet.

I would like PCs on the normal network to be able to connect with either 
system by addressing them with addresses off the 172.26.158 subnet. 
I'll assign 30 of these IPs to each system.

For example. 172.26.158.10 might be mapped onto 192.168.0.2 on eth1
whilst  172.26.158.50 might be mapped onto 192.168.0.2 on eth2

Is this at all possible?  I assume I'll need to use at least DNAT but 
also apply some other trickery to route to the correct interface.  As a 
newbie to IPTables, I'm not sure how I might even begin to set up rules 
for this.

Hopefully this is the sort of thing people want to do all the time and 
it will be easy :)

Any help would be very much appreciated.

Thanks,

Al




This email and any attachments are confidential to the intended recipient
and may also be privileged. If you are not the intended recipient please
delete it from your system and notify Thales Underwater Systems on +44 1963
370 551. You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.

Re: Is this possible?

[Kiran Kumar]

--- Fisher Alex <Alex.Fisher@uk.thalesgroup.com>
wrote:

> I'll do my best to explain what I'm trying to
> acheive with a linux box 
> and 3 NICS.

  I'll do my best too. :D

> 
> I have two sets of systems.  Each system has about
> 30 IP addresses 
> spread across various bits of hardware.  The two
> systems are identical 
> (ie have the same 30 IP addresses).  The addresses
> are all part of the 
> class C subnet 192.168.0.*
> 
> The IP addresses for each system are now set in
> stone and can't be 
> changed.  Furthermore, similar addresses are already
> in use on our network.
> 
> I've been given a set of IP addresses I CAN use
> (172.26.158.*)
> 
> A diagram might help here ...
> 
>    -----------        -----------------
>    - System1 ---------|eth1            |
>    -----------        |                |
>                       |  Linux Router  |
>                       |           
> eth0|------------Rest of the network
>                       |                |
>    -----------        |                |
>    - System2 ---------|eth2            |
>    -----------        ------------------
> 
> I also have an address I can use for eth0 which will
> make the router 
> visible from machines on the rest of the network. 
> This can be set as 
> the default gateway for connections to the
> 172.26.158.* subnet.
> 
> I would like PCs on the normal network to be able to
> connect with either 
> system by addressing them with addresses off the
> 172.26.158 subnet. 
> I'll assign 30 of these IPs to each system.
> 
> For example. 172.26.158.10 might be mapped onto
> 192.168.0.2 on eth1
> whilst  172.26.158.50 might be mapped onto
> 192.168.0.2 on eth2
> 
> Is this at all possible?  I assume I'll need to use
> at least DNAT but 
> also apply some other trickery to route to the
> correct interface.  As a 
> newbie to IPTables, I'm not sure how I might even
> begin to set up rules 
> for this.

  I guess what you basically need to do is DNAT, as
you got it. In addition you also need a way to
distinguish packets to the two subnets. Since at eth2,
by the IP you know where that packet is destined, you
could use the MARK target to mark the packets
appropriately. Later on, you could use this mark and
appropriately force route the packets to the
appropriate interfaces using the ROUTE target.

  I guess this should work, though I may be totally
wrong.. being pretty new to iptables myself.

> 
> Hopefully this is the sort of thing people want to
> do all the time and 
> it will be easy :)
> 
> Any help would be very much appreciated.


=====
Regards,
Kiran Kumar Immidi


	
		
__________________________________
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
http://photos.yahoo.com/ph/print_splash

Re: Is this possible?

[Antony Stone]

On Thursday 22 April 2004 12:30 pm, Fisher Alex wrote:

> Hi.
>
> I'll do my best to explain what I'm trying to acheive with a linux box
> and 3 NICS.
>
> I have two sets of systems.  Each system has about 30 IP addresses
> spread across various bits of hardware.  The two systems are identical
> (ie have the same 30 IP addresses).  The addresses are all part of the
> class C subnet 192.168.0.*
>
> The IP addresses for each system are now set in stone and can't be
> changed.  Furthermore, similar addresses are already in use on our network.
>
> I would like PCs on the normal network to be able to connect with either
> system by addressing them with addresses off the 172.26.158 subnet.
> I'll assign 30 of these IPs to each system.
>
> For example. 172.26.158.10 might be mapped onto 192.168.0.2 on eth1
> whilst  172.26.158.50 might be mapped onto 192.168.0.2 on eth2
>
> Is this at all possible?  I assume I'll need to use at least DNAT but
> also apply some other trickery to route to the correct interface.  As a
> newbie to IPTables, I'm not sure how I might even begin to set up rules
> for this.

This is not really a netfilter question - sure, you need to use DNAT, but once 
your routing (to get to the correct destination system) is working, the 
netfilter bit is simple.

I cannot resist challenging your statement "The IP addresses for each system 
are now set in stone and can't be changed", since setting up sensibly 
separate subnets with independent network addresses would be the "correct" 
solution to this problem.

However, if someone is adamant that you need to set up network connectivity 
between machines with such an unfriendly combination of IP addresses, I 
suggest you simply set up multiple host-specific routes on the netflter 
machine, telling it where to find each different 192.168.0.* destination 
address, and don't have a standard 192.168.0.0/24 route on that system.

Therefore, set up the routing so that the firewall machine can find each 
required destination IP, and then netfilter will go on top without a problem.

Regards,

Antony.

-- 
How I want a drink, alcoholic of course, after the heavy chapters involving 
quantum mechanics.

 - 3.14159265358979

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Is this possible?

[David Cannings]

On Thursday 22 April 2004 13:12, Antony Stone wrote:
> On Thursday 22 April 2004 12:30 pm, Fisher Alex wrote:
> > I have two sets of systems.  Each system has about 30 IP addresses
> > spread across various bits of hardware.  The two systems are
> > identical (ie have the same 30 IP addresses).  The addresses are all
> > part of the class C subnet 192.168.0.*
> However, if someone is adamant that you need to set up network
> connectivity between machines with such an unfriendly combination of IP
> addresses, I suggest you simply set up multiple host-specific routes on
> the netflter machine, telling it where to find each different
> 192.168.0.* destination address, and don't have a standard
> 192.168.0.0/24 route on that system.

From what I understand of the question both system 1 and system 2 have the 
same pool of 192.168.x.x addresses, such as in a failover setup.  Surely 
then this still would not work, as each would have two host-specific 
routes and the kernel chooses the first one it gets to in the routing 
table.  That's not a netfilter issue though, it's a routing one and what 
to do would depend on whether you want fail over, load balancing across 
the two systems, etc.  Whether or not that's the right way to go about 
doing it, I don't know.

David

Re: Is this possible?

[Antony Stone]

On Thursday 22 April 2004 1:24 pm, David Cannings wrote:

> On Thursday 22 April 2004 13:12, Antony Stone wrote:
> > On Thursday 22 April 2004 12:30 pm, Fisher Alex wrote:
> > > I have two sets of systems.  Each system has about 30 IP addresses
> > > spread across various bits of hardware.  The two systems are
> > > identical (ie have the same 30 IP addresses).  The addresses are all
> > > part of the class C subnet 192.168.0.*
> >
> > However, if someone is adamant that you need to set up network
> > connectivity between machines with such an unfriendly combination of IP
> > addresses, I suggest you simply set up multiple host-specific routes on
> > the netflter machine, telling it where to find each different
> > 192.168.0.* destination address, and don't have a standard
> > 192.168.0.0/24 route on that system.
>
> From what I understand of the question both system 1 and system 2 have the
> same pool of 192.168.x.x addresses, such as in a failover setup.  Surely
> then this still would not work, as each would have two host-specific
> routes and the kernel chooses the first one it gets to in the routing
> table.

Hm, yes, on closer reading of Alex's specification, I think you might be 
right, in which case simple routing is not what he needs.  (Indeed, Alex's 
latest posting which I've just seen confirms this).

I suspect something along the lines of the Linux Virtual Server is more 
appropriate. http://www.linuxvirtualserver.org

However, the fact that *both* sets of backend systems are using exactly the 
same IP addresses is still going to remain a horrible problem.

> That's not a netfilter issue though, it's a routing one and what
> to do would depend on whether you want fail over, load balancing across
> the two systems, etc.  Whether or not that's the right way to go about
> doing it, I don't know.

I think you're right on all counts here:
1. It's not a netfilter problem
2. whether failover or loadbalancing is required makes a difference to the 
solution
3. whether this is the right way to go about it is questionable

Regards,

Antony.

-- 
Programming is a Dark Art, and it will always be. The programmer is
fighting against the two most destructive forces in the universe:
entropy and human stupidity. They're not things you can always
overcome with a "methodology" or on a schedule.

 - Damian Conway, Perl God

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Is this possible?

[T. Horsnell (tsh)]

>Hi.
>
>I'll do my best to explain what I'm trying to acheive with a linux box 
>and 3 NICS.
>
>I have two sets of systems.  Each system has about 30 IP addresses 
>spread across various bits of hardware.  The two systems are identical 
>(ie have the same 30 IP addresses).  The addresses are all part of the 
>class C subnet 192.168.0.*
>
>The IP addresses for each system are now set in stone and can't be 
>changed.  Furthermore, similar addresses are already in use on our network.
>
>I've been given a set of IP addresses I CAN use (172.26.158.*)
>
>A diagram might help here ...
>
>   -----------        -----------------
>   - System1 ---------|eth1            |
>   -----------        |                |
>                      |  Linux Router  |
>                      |            eth0|------------Rest of the network
>                      |                |
>   -----------        |                |
>   - System2 ---------|eth2            |
>   -----------        ------------------
>
>I also have an address I can use for eth0 which will make the router 
>visible from machines on the rest of the network.  This can be set as 
>the default gateway for connections to the 172.26.158.* subnet.
>
>I would like PCs on the normal network to be able to connect with either 
>system by addressing them with addresses off the 172.26.158 subnet. 
>I'll assign 30 of these IPs to each system.
>
>For example. 172.26.158.10 might be mapped onto 192.168.0.2 on eth1
>whilst  172.26.158.50 might be mapped onto 192.168.0.2 on eth2
>

I've always regarded netfilter as a symmetric thing, so is it possible to 

1. apply a set of S/DNAT rules specifically to
   eth1 to map system1's 192 addresses to something else, 
2. add a route to enable these new addresses to reach eth0
3. add appropriate rules to the FORWARD chain for those NAT'd addresses
   if required
4. add a suitable set of S/DNAT rules specifically for eth0
   to S/DNAT those new addresses to a unique subset of 172 addresses
5. Do the same stuff for eth2 but 1. would not be necessary


Cheers,
Terry.

Re: Is this possible?

[Edmundo Carmona]

I sent the email to vger.rutgers.edu and bounced back. Let's see if
this one goes through this time.

On 5/2/05, Edmundo Carmona <eantoranz@gmail.com> wrote:
> Hello, Guys!
> 
> I'm a very satisfied linux user (for some years already). :D
> 
> There was a problem with a Raid controller at the office. One raid-5
> hasn't worked since an accidental power down there was some days ago.
> 
> After the IT department (which, by the way, is made by Microsoft
> lovers) gave up on it, they gave me one oportunity to work with it to
> see if I could get the data from the storage device.
> 
> The device is a netraid-4m from HP.
> 
> I was able to get knoppix to probe it with the aacraid module.
> However, right after modprobing, I get read/write errors in dmesg.
> 
> There is no faulty disk (according to the light panel of the netraid).
> 
> I've been wondering if it would be possible to get images of all the
> (separated, of course) disks that make the array, get them to a linux
> box and try to have the array come back to live throught a software
> array.
> 
> Please, tell me if there's a (at least theoretical ;)) possibility to
> get this done... and (as I'm a rookie with raid), tell me the
> guidelines to get it done.
> 
> I appreciate your help!
> 
> Thanks!
>

RE: Is this possible?

[Guy]

I don't know, but have you contacted HP?

> -----Original Message-----
> From: linux-raid-owner@vger.kernel.org [mailto:linux-raid-
> owner@vger.kernel.org] On Behalf Of Edmundo Carmona
> Sent: Monday, May 02, 2005 3:18 PM
> To: linux-raid@vger.kernel.org
> Subject: Re: Is this possible?
> 
> I sent the email to vger.rutgers.edu and bounced back. Let's see if
> this one goes through this time.
> 
> On 5/2/05, Edmundo Carmona <eantoranz@gmail.com> wrote:
> > Hello, Guys!
> >
> > I'm a very satisfied linux user (for some years already). :D
> >
> > There was a problem with a Raid controller at the office. One raid-5
> > hasn't worked since an accidental power down there was some days ago.
> >
> > After the IT department (which, by the way, is made by Microsoft
> > lovers) gave up on it, they gave me one oportunity to work with it to
> > see if I could get the data from the storage device.
> >
> > The device is a netraid-4m from HP.
> >
> > I was able to get knoppix to probe it with the aacraid module.
> > However, right after modprobing, I get read/write errors in dmesg.
> >
> > There is no faulty disk (according to the light panel of the netraid).
> >
> > I've been wondering if it would be possible to get images of all the
> > (separated, of course) disks that make the array, get them to a linux
> > box and try to have the array come back to live throught a software
> > array.
> >
> > Please, tell me if there's a (at least theoretical ;)) possibility to
> > get this done... and (as I'm a rookie with raid), tell me the
> > guidelines to get it done.
> >
> > I appreciate your help!
> >
> > Thanks!
> >
> -
> To unsubscribe from this list: send the line "unsubscribe linux-raid" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Is this possible?

[Michael Thompson]

I have a issue where I cannot connect to my server because the firewall 
only allows ports 80 and 443 out.

I previously ran SSH on port 443 to overcome this, but I have had to 
implement a HTTPS solution for users who wanted secure access, so that 
is now gone.

This system has DNS records for ssh.server.co.uk and www.server.co.uk, 
so can I use IPTables or similar to recognise if it is being connected 
to via ssh.server.co.uk on port 443 and forward the traffic to port 22? 
If www.server.co.uk:443 is used apache gets the traffic? Or is this (As 
I suspect) Impossible?

Re: Is this possible?

[Jose Maria Lopez Hernandez]

El vie, 11-02-2005 a las 16:06 +0000, Michael Thompson escribió:
> I have a issue where I cannot connect to my server because the firewall 
> only allows ports 80 and 443 out.
> 
> I previously ran SSH on port 443 to overcome this, but I have had to 
> implement a HTTPS solution for users who wanted secure access, so that 
> is now gone.
> 
> This system has DNS records for ssh.server.co.uk and www.server.co.uk, 
> so can I use IPTables or similar to recognise if it is being connected 
> to via ssh.server.co.uk on port 443 and forward the traffic to port 22? 
> If www.server.co.uk:443 is used apache gets the traffic? Or is this (As 
> I suspect) Impossible?

I think the DNS trick it's impossible.
You should ask the administrator to open you the ssh port, if he
let you use the 443 to run sshd then why he doesn't let you do the
same in port 22/tcp or at least any other port he has open in his
firewall.

Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: Is this possible?

[Andrew Schulman]

> I have a issue where I cannot connect to my server because the 
firewall 
> only allows ports 80 and 443 out.
> 
> I previously ran SSH on port 443 to overcome this, but I have had to 
> implement a HTTPS solution for users who wanted secure access, so that 
> is now gone.
> 
> This system has DNS records for ssh.server.co.uk and www.server.co.uk, 
> so can I use IPTables or similar to recognise if it is being connected 
> to via ssh.server.co.uk on port 443 and forward the traffic to port 22? 
> If www.server.co.uk:443 is used apache gets the traffic? Or is this (As 
> I suspect) Impossible?

I don't think that's possible, because the address resolution happens on 
the client side.  Both names are resolved to your one IP address before 
you ever see any packets.

One option would be to get a second IP address.  Another would be to get 
the client admins to open an outgoing port in their firewall, as Jose 
suggests.

A third possibility would be to direct both sets of traffic to port 443, 
and use application-level filtering to distinguish them.  See for 
example 
http://l7-filter.sourceforge.net/.  I see that they have a pattern for 
recognizing SSH, that's supposed to work well.  They don't have one for 
HTTPS, but you could either assume that as the default for non-SSH 
traffic, or maybe write your own pattern.

Good luck,
Andrew.

RE: Is this possible?

[Alex Samad]

If your firewall is using a proxy to allow this access, most default to
allow 563 nntps as well, run your ssh server on that port

Alex

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Andrew Schulman
Sent: Tuesday, 15 February 2005 3:54 AM
To: netfilter@lists.netfilter.org
Subject: Re: Is this possible?

> I have a issue where I cannot connect to my server because the 
firewall 
> only allows ports 80 and 443 out.
> 
> I previously ran SSH on port 443 to overcome this, but I have had to 
> implement a HTTPS solution for users who wanted secure access, so that 
> is now gone.
> 
> This system has DNS records for ssh.server.co.uk and www.server.co.uk, 
> so can I use IPTables or similar to recognise if it is being connected 
> to via ssh.server.co.uk on port 443 and forward the traffic to port 22? 
> If www.server.co.uk:443 is used apache gets the traffic? Or is this (As 
> I suspect) Impossible?

I don't think that's possible, because the address resolution happens on 
the client side.  Both names are resolved to your one IP address before 
you ever see any packets.

One option would be to get a second IP address.  Another would be to get 
the client admins to open an outgoing port in their firewall, as Jose 
suggests.

A third possibility would be to direct both sets of traffic to port 443, 
and use application-level filtering to distinguish them.  See for 
example 
http://l7-filter.sourceforge.net/.  I see that they have a pattern for 
recognizing SSH, that's supposed to work well.  They don't have one for 
HTTPS, but you could either assume that as the default for non-SSH 
traffic, or maybe write your own pattern.

Good luck,
Andrew.

RE: Is this possible?

[Michael Thompson]

[-- Attachment #1: Type: text/plain, Size: 741 bytes --]

Quoting Alex Samad <Alex@Samad.com.au>:

> If your firewall is using a proxy to allow this access, most default to
> allow 563 nntps as well, run your ssh server on that port
>
> Alex
>

<Snip>

Thanks for all your suggestions I solved it by adding a aliase to the Internet
NIC and slapping a unused IP onto it. Then I run a portforward from there to
port 22 on the system.

That way I still have HTTPS and can access 443 on a different IP, and they all
lived happily ever after.


Works well.


-- 

Mike

----------------------------------------------------------------
This message was sent for a thompsonmike.co.uk address, and may
not reflect the views or opinions of the Network owner. All Views
and Opinions are those of the author.


[-- Attachment #2: PGP Public Key --]
[-- Type: application/pgp-keys, Size: 1682 bytes --]

Re: Is this possible?

[T. Horsnell (tsh)]

>>>Hi.
>>>
>>>I'll do my best to explain what I'm trying to acheive with a linux box 
>>>and 3 NICS.
>>>
>>>I have two sets of systems.  Each system has about 30 IP addresses 
>>>spread across various bits of hardware.  The two systems are identical 
>>>(ie have the same 30 IP addresses).  The addresses are all part of the 
>>>class C subnet 192.168.0.*
>>>
>>>The IP addresses for each system are now set in stone and can't be 
>>>changed.  Furthermore, similar addresses are already in use on our
>network.
>>>
>>>I've been given a set of IP addresses I CAN use (172.26.158.*)
>>>
>>>A diagram might help here ...
>>>
>>>  -----------        -----------------
>>>  - System1 ---------|eth1            |
>>>  -----------        |                |
>>>                     |  Linux Router  |
>>>                     |            eth0|------------Rest of the network
>>>                     |                |
>>>  -----------        |                |
>>>  - System2 ---------|eth2            |
>>>  -----------        ------------------
>>>
>>>I also have an address I can use for eth0 which will make the router 
>>>visible from machines on the rest of the network.  This can be set as 
>>>the default gateway for connections to the 172.26.158.* subnet.
>>>
>>>I would like PCs on the normal network to be able to connect with either 
>>>system by addressing them with addresses off the 172.26.158 subnet. 
>>>I'll assign 30 of these IPs to each system.
>>>
>>>For example. 172.26.158.10 might be mapped onto 192.168.0.2 on eth1
>>>whilst  172.26.158.50 might be mapped onto 192.168.0.2 on eth2
>>>
>> 
>> 
>> I've always regarded netfilter as a symmetric thing, so is it possible to 
>> 
>> 1. apply a set of S/DNAT rules specifically to
>>    eth1 to map system1's 192 addresses to something else, 
>> 2. add a route to enable these new addresses to reach eth0
>> 3. add appropriate rules to the FORWARD chain for those NAT'd addresses
>>    if required
>> 4. add a suitable set of S/DNAT rules specifically for eth0
>>    to S/DNAT those new addresses to a unique subset of 172 addresses
>> 5. Do the same stuff for eth2 but 1. would not be necessary
>> 
>> 
>> Cheers,
>> Terry.
>
>Thanks for your help here.  Whilst it differs from what other people 
>have suggested, what you've said seems to make good sense.  Some 
>examples would really help me out.  For instance, is it just DNAT I'm 
>doing in 1 and 4 or do I also need to use SNAT?  I take it that 3. is 
>optional and only required if I require extra filtering/firewalling.
>
>How does this look?
>
>iptables -t nat -A PREROUTING -d 192.168.152.2 -o eth1 DNAT --to  193.168.152.2
>
>ip route add 193.168.152.0/24 dev eth1
>
>iptables -t nat -A PREROUTING -d 172.26.158.2 -o eth0 DNAT --to  193.168.152.2
>
>ip route add 192.168.152.0/24 dev eth2
>
>iptables -t nat -A PREROUTING -d 172.26.158.130 -o eth0 DNAT --to  192.168.152.2
>
>ip route add default dev eth0 via 192.168.152.1
>

Ah. I didnt read your first query carefully enough. Are you really
wanting to  map each 192 subnet into a unique bit of 172
address space so that you dont have to make any config changes
to machines in 172 in order for them to access 192-space? I dont know if
this is possible. It implies that eth0 would have to respond to the whole
bunch of 172 ip addresses which you had reserved for your 192 nets, and
would also have to know that those packets were not intended for *it*,
but had to be forwarded on somewhere else. How would this be achieved?
It sounds like some sort of NAT'ing bridge, which is beyond my experience.
Maybe static entries in eth0's arp tables...


What I was suggesting is something that would map one of your 192 subnets
into a different bit of 192 space (so that the two 192 nets were
distinguishable), but that machines in 172 would still reference the 192
machines by their 192 addresses (a different set in the case of eth2, say).
This would require config'ing a static route in every machine in 172
which wanted to talk to the 192 boxes. Before carrying on, is this acceptable?

Cheers,
Terry.

Re: Is this possible?

[Fisher Alex]

T. Horsnell (tsh) wrote:
>>Hi.
>>
>>I'll do my best to explain what I'm trying to acheive with a linux box 
>>and 3 NICS.
>>
>>I have two sets of systems.  Each system has about 30 IP addresses 
>>spread across various bits of hardware.  The two systems are identical 
>>(ie have the same 30 IP addresses).  The addresses are all part of the 
>>class C subnet 192.168.0.*
>>
>>The IP addresses for each system are now set in stone and can't be 
>>changed.  Furthermore, similar addresses are already in use on our
network.
>>
>>I've been given a set of IP addresses I CAN use (172.26.158.*)
>>
>>A diagram might help here ...
>>
>>  -----------        -----------------
>>  - System1 ---------|eth1            |
>>  -----------        |                |
>>                     |  Linux Router  |
>>                     |            eth0|------------Rest of the network
>>                     |                |
>>  -----------        |                |
>>  - System2 ---------|eth2            |
>>  -----------        ------------------
>>
>>I also have an address I can use for eth0 which will make the router 
>>visible from machines on the rest of the network.  This can be set as 
>>the default gateway for connections to the 172.26.158.* subnet.
>>
>>I would like PCs on the normal network to be able to connect with either 
>>system by addressing them with addresses off the 172.26.158 subnet. 
>>I'll assign 30 of these IPs to each system.
>>
>>For example. 172.26.158.10 might be mapped onto 192.168.0.2 on eth1
>>whilst  172.26.158.50 might be mapped onto 192.168.0.2 on eth2
>>
> 
> 
> I've always regarded netfilter as a symmetric thing, so is it possible to 
> 
> 1. apply a set of S/DNAT rules specifically to
>    eth1 to map system1's 192 addresses to something else, 
> 2. add a route to enable these new addresses to reach eth0
> 3. add appropriate rules to the FORWARD chain for those NAT'd addresses
>    if required
> 4. add a suitable set of S/DNAT rules specifically for eth0
>    to S/DNAT those new addresses to a unique subset of 172 addresses
> 5. Do the same stuff for eth2 but 1. would not be necessary
> 
> 
> Cheers,
> Terry.

Thanks for your help here.  Whilst it differs from what other people 
have suggested, what you've said seems to make good sense.  Some 
examples would really help me out.  For instance, is it just DNAT I'm 
doing in 1 and 4 or do I also need to use SNAT?  I take it that 3. is 
optional and only required if I require extra filtering/firewalling.

How does this look?

iptables -t nat -A PREROUTING -d 192.168.152.2 -o eth1 DNAT --to 
193.168.152.2

ip route add 193.168.152.0/24 dev eth1

iptables -t nat -A PREROUTING -d 172.26.158.2 -o eth0 DNAT --to 
193.168.152.2

ip route add 192.168.152.0/24 dev eth2

iptables -t nat -A PREROUTING -d 172.26.158.130 -o eth0 DNAT --to 
192.168.152.2

ip route add default dev eth0 via 192.168.152.1

Thanks,
Alex
This email and any attachments are confidential to the intended recipient
and may also be privileged. If you are not the intended recipient please
delete it from your system and notify Thales Underwater Systems on +44 1963
370 551. You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.

Re: Is this possible?

[Fisher Alex]

Antony Stone wrote:
> On Thursday 22 April 2004 1:36 pm, Fisher Alex wrote:
> 
> 
>>>However, if someone is adamant that you need to set up network
>>
>>connectivity
>>
>>
>>>between machines with such an unfriendly combination of IP addresses, I
>>>suggest you simply set up multiple host-specific routes on the netflter
>>>machine, telling it where to find each different 192.168.0.* destination
>>>address, and don't have a standard 192.168.0.0/24 route on that system.
>>
>>Unfortunately, this is exactly what I can't do :(  This is because there
>>are two of each 192.168.0.* IP address.  The original destination IP
>>address has to taken into account when determining whether packets route
>>through eth1 or eth2.
> 
> 
> Have you considered using two netfilter boxes, one DNATting from 
> 172.26.158.1-30 to 192.168.0.1-30 (network A), and the other DNATting from

> 172.26.158.31-60 to 192.168.0.1-30 (network B)?
> 
> Regards,
> 
> Antony
> 

Its just crossing my mind now :)

I've got 'use netfilter MARK value as routing key' switched on in the 
kernel, so I think I'll give it a go before quitting and finding a 2nd box.

Al
This email and any attachments are confidential to the intended recipient
and may also be privileged. If you are not the intended recipient please
delete it from your system and notify Thales Underwater Systems on +44 1963
370 551. You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.

Re: Is this possible?

[Fisher Alex]

> However, if someone is adamant that you need to set up network
connectivity 
> between machines with such an unfriendly combination of IP addresses, I 
> suggest you simply set up multiple host-specific routes on the netflter 
> machine, telling it where to find each different 192.168.0.* destination 
> address, and don't have a standard 192.168.0.0/24 route on that system.

Unfortunately, this is exactly what I can't do :(  This is because there 
are two of each 192.168.0.* IP address.  The original destination IP 
address has to taken into account when determining whether packets route 
through eth1 or eth2.

I like the idea of MARKing the packets before they are routed.  DNATing 
them and then routing based on how they were previously MARKed.  As I 
get more comfortable with this (assuming nobody claims I'm trying to do 
the impossible), I'll try and put together some rules I might use to 
accomplish this.

Al
This email and any attachments are confidential to the intended recipient
and may also be privileged. If you are not the intended recipient please
delete it from your system and notify Thales Underwater Systems on +44 1963
370 551. You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.

Re: Is this possible?

[Antony Stone]

On Thursday 22 April 2004 1:36 pm, Fisher Alex wrote:

> > However, if someone is adamant that you need to set up network
>
> connectivity
>
> > between machines with such an unfriendly combination of IP addresses, I
> > suggest you simply set up multiple host-specific routes on the netflter
> > machine, telling it where to find each different 192.168.0.* destination
> > address, and don't have a standard 192.168.0.0/24 route on that system.
>
> Unfortunately, this is exactly what I can't do :(  This is because there
> are two of each 192.168.0.* IP address.  The original destination IP
> address has to taken into account when determining whether packets route
> through eth1 or eth2.

Have you considered using two netfilter boxes, one DNATting from 
172.26.158.1-30 to 192.168.0.1-30 (network A), and the other DNATting from 
172.26.158.31-60 to 192.168.0.1-30 (network B)?

Regards,

Antony

-- 
What is this talk of "software release"?
Our software evolves and matures until it is capable of escape, leaving a 
bloody trail of designers and quality assurance people in its wake.

                                                     Please reply to the list;
                                                           please don't CC me.

is this possible ?

[Syed Faisal Gillani]

is it possible in iptables to FW a port traffic (eg 80) to an internal =
ipaddress of a webserver ?

Syed Faisal Gillani
ClickOnline Networks
http://clickonlinenetworks.com

E-mail powered by ClickOnline Networks

Re: is this possible ?

[Frederic de Villamil]

On Sun, 11 Apr 2004, Syed Faisal Gillani wrote:

> is it possible in iptables to FW a port traffic (eg 80) to an internal =
> ipaddress of a webserver ?

Hi,
it's called NAT (network address translation).

iptables -t nat -A PREROUTING -p tcp -d your.external.addy --dport 80 -j DNAT --to your.local.addy:80

Maybe you should have a look at
http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html

regards
Frederic
--
< Ylli> lol je rigole neuro jte prend pa pr un pervers ms un president
et pere de famille respectable :s
http://www.seclab.jp

is this possible ?

[Admin]

is it possible in iptables to FW a port traffic (eg 80) to an internal =
ipaddress of a webserver ?

Syed Faisal Gillani

ClickOnline Networks
http://clickonlinenetworks.com

E-mail powered by ClickOnline Networks