Using iptables on a single NIC to map old IP addresses onto new.

Using iptables on a single NIC to map old IP addresses onto new.

[Yermo Lamers]

On Fri, 20 Jan 2006, Yermo Lamers wrote:

 >> That was my first thought. I bound a.a.a.2 and b.b.b.2 to the same > 
box.
 >> I obviously have two pipes. If I set the default route on the box to the
 >> a.a.a.1 router I can ping a.a.a.2 from the outside but not b.b.b.2. If I
 >> switch to the b.b.b.1 router the opposite happens.

 >> I would have expected packets to come down either pipe and go out
 >> whichever one happens to be the default gateway.
 >
 >It could be that both your ISPs are using source address spoofing
 >filters (as they should, of course). That is, the router a.a.a.1
 >will only accept traffic with source address a.a.a.2 and the rest
 >(including ping replies from b.b.b.2) get dropped.

Yea, that's what I think is going on. I was checking the iproute2 site 
to see if I could come up with something fancy but the kernel on this 
box doesn't have the advanced routing enabled.

So the question is can I set up a box on the network, bind IP addresses 
to it and then forward those connections onto another box for both TCP 
and UDP akin to the way rinetd works?

i.e.

a.a.a.1 port 80 gets forwarded to b.b.b.1 80
a.a.a.2 port 80 gets forwarded to b.b.b.2 80

So I'm fowarding packets despite the fact that I'm not using a "router" 
per se. I want to forward packets for connections to the local box like 
rinetd does.

Can that be done using iptables or is there another approach to this 
problem? (Like rewriting the from address depending on which pipe the 
packet came from)

-- Yermo

Sorry about breaking the replies. I'm using the archive to reply to 
these and the link isn't keeping the thread info for some reason.


-- 
---------------------------------------------------------------------
DTLink Software                                 http://www.dtlink.com
              Internet Business Systems and Software
---------------------------------------------------------------------

RE: Using iptables on a single NIC to map old IP addresses onto new.

[Rob Sterenborg]

>>> I would have expected packets to come down either pipe and go out
>>> whichever one happens to be the default gateway.
>>
>>It could be that both your ISPs are using source address spoofing
>>filters (as they should, of course). That is, the router a.a.a.1
>>will only accept traffic with source address a.a.a.2 and the rest
>>(including ping replies from b.b.b.2) get dropped.
> 
> Yea, that's what I think is going on. I was checking the
> iproute2 site to see if I could come up with something fancy but
> the kernel on this box doesn't have the advanced routing enabled.

Hmm. Wouldn't this be solved by adding another NIC and configure the new
IP on it ? That should be less work than install/configure a new Linux
box to do this forwarding.

> So the question is can I set up a box on the network, bind IP
> addresses to it and then forward those connections onto another box
> for both TCP and UDP akin to the way rinetd works?
> 
> i.e.
> 
> a.a.a.1 port 80 gets forwarded to b.b.b.1 80
> a.a.a.2 port 80 gets forwarded to b.b.b.2 80

Sure.

> So I'm fowarding packets despite the fact that I'm not using
> a "router" per se. I want to forward packets for connections to
> the local box like rinetd does.
> 
> Can that be done using iptables or is there another approach to this
> problem? (Like rewriting the from address depending on which pipe the
> packet came from) 

On the box, use rules like :

$ipt -P FORWARD DROP

$ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -m state --state NEW -d b.b.b.1 -p tcp --dport 80 \
  -j ACCEPT
$ipt -A FORWARD -m state --state NEW -d b.b.b.2 -p tcp --dport 80 \
  -j ACCEPT

$ipt -t nat -A PREROUTING -d a.a.a.1 -p tcp --dport 80 \
  -j DNAT --to b.b.b.1
$ipt -t nat -A PREROUTING -d a.a.a.2 -p tcp --dport 80 \
  -j DNAT --to b.b.b.2


Gr,
Rob

Using iptables on a single NIC to map old IP addresses onto new.

[Yermo Lamers]

>> I want to map all ports on a.a.a.2 to b.b.b.2 and all ports
>> on a.a.a.3 to
>> b.b.b.3
>>
>> Can something like this be done using iptables if I only
>> have 1 NIC card and I do not have a physically separate
>> subnet?
>
> Why not use "ifconfig" (or "ip addr") to add multiple IP addresses (old
> and new) to the NIC ?
> Then, when the transition is complete, you just remove the old
> addresses.

That was my first thought. I bound a.a.a.2 and b.b.b.2 to the same box.
I obviously have two pipes. If I set the default route on the box to the
a.a.a.1 router I can ping a.a.a.2 from the outside but not b.b.b.2. If I
switch to the b.b.b.1 router the opposite happens.

arp cache has entries for both routers. I can ping both routers from the 
box in question.

I would have expected packets to come down either pipe and go out
whichever one happens to be the default gateway.

I've been assuming either it's some issue on the routers themselves or 
there is some issue with the 2.2 kernel and binding IPs from separate 
networks (old machine which I can't take down yet.) but it's been alot 
of long hours and little sleep so maybe I'm missing something stupidly 
obvious.


-- 
---------------------------------------------------------------------
DTLink Software                                 http://www.dtlink.com
              Internet Business Systems and Software
---------------------------------------------------------------------

Re: Using iptables on a single NIC to map old IP addresses onto new.

[Ville Mattila]

[-- Attachment #1: Type: text/plain, Size: 951 bytes --]

	Terve,


On Fri, 20 Jan 2006, Yermo Lamers wrote:

> That was my first thought. I bound a.a.a.2 and b.b.b.2 to the same box.
> I obviously have two pipes. If I set the default route on the box to the
> a.a.a.1 router I can ping a.a.a.2 from the outside but not b.b.b.2. If I
> switch to the b.b.b.1 router the opposite happens.

> I would have expected packets to come down either pipe and go out
> whichever one happens to be the default gateway.

	It could be that both your ISPs are using source address spoofing
	filters (as they should, of course). That is, the router a.a.a.1
	will only accept traffic with source address a.a.a.2 and the rest
	(including ping replies from b.b.b.2) get dropped.


	Ville

-- 
Ville Mattila, System Support Specialist, Funet network, CSC
PO Box 405, FIN-02101 Espoo, Finland, fax +385 9 457 2302
CSC is the Finnish IT Center for Science, http://www.csc.fi/, email:
ville.mattila@csc.fi

[-- Attachment #2: Type: application/pgp-signature, Size: 155 bytes --]

Using iptables on a single NIC to map old IP addresses onto new.

[Yermo Lamers]

I've got an old pipe connected to a couple of public servers. That pipe is
going dark.

I've got a new pipe from a new provider with a block of new IP addresses.

I'm trying to transition to the new IP block without shutting down the old
so I can have both up while the DNS changes propagate.

My thought is to set up a forwarder box using iptables to port forward the
old IP's to the new IP's.

Consider old network a.a.a.0 and new network b.b.b.0

I want to map all ports on a.a.a.2 to b.b.b.2 and all ports on a.a.a.3 to
b.b.b.3

Can something like this be done using iptables if I only have 1 NIC card
and I do not have a physically separate subnet?

----------------------------------------------------------------------------
DTLink Software                                 http://www.dtlink.com
              Internet Business Systems and Software
----------------------------------------------------------------------------

RE: Using iptables on a single NIC to map old IP addresses onto new.

[Rob Sterenborg]

> I've got an old pipe connected to a couple of public servers.
> That pipe is going dark.
> 
> I've got a new pipe from a new provider with a block of new
> IP addresses.
> 
> I'm trying to transition to the new IP block without shutting
> down the old so I can have both up while the DNS changes
> propagate.
> 
> My thought is to set up a forwarder box using iptables to
> port forward the old IP's to the new IP's.
> 
> Consider old network a.a.a.0 and new network b.b.b.0
> 
> I want to map all ports on a.a.a.2 to b.b.b.2 and all ports
> on a.a.a.3 to
> b.b.b.3
> 
> Can something like this be done using iptables if I only
> have 1 NIC card and I do not have a physically separate
> subnet?

Why not use "ifconfig" (or "ip addr") to add multiple IP addresses (old
and new) to the NIC ?
Then, when the transition is complete, you just remove the old
addresses.


Gr,
Rob