Per-client routing, plus masquerading -- possible?

Per-client routing, plus masquerading -- possible?

[Jeremy Elson]

[ Oops, sent this to netfilter-devel before I realized this list
existed.  D'oh! ]


Hi,

I'm trying to set up a Linux box as a NATting router.  But here's the
trick: my box's external interface is on a LAN that has a whole bunch
of next-hop routers on it, any of which can be used to access the
Internet.  I'm trying to figure out how to configure iptables so that
the NAT box selects the router to use based on client IP address
(i.e., the IP address on the inside interface).

In other words -- I'd like ipfilter to keep the destination IP address
unchanged, but select a next-hop destination (e.g., by changing the
destination MAC address) based on the source IP.   And, on top of all
this, mangle the source address according to normal masquerading.

I've been tinkering with a command like this:

iptables -t nat -A POSTROUTING -i $INTERNAL_CLIENT_IP -o
external-iface0 -j SNAT --to $EXTERNAL_ROUTER_IP

...but it seems that --to controls the new source address given to the
packet (i.e., the router's outside-interface IP), and not the
destination to which the NATted packet is sent.

Could someone please point me in the right direction?  Or is this not possible?

Thanks!

--Jeremy

Re: Per-client routing, plus masquerading -- possible?

[Menno Smits]

Jeremy Elson wrote:

> I've been tinkering with a command like this:
> 
> iptables -t nat -A POSTROUTING -i $INTERNAL_CLIENT_IP -o
> external-iface0 -j SNAT --to $EXTERNAL_ROUTER_IP
> 
> ...but it seems that --to controls the new source address given to the
> packet (i.e., the router's outside-interface IP), and not the
> destination to which the NATted packet is sent.

This is correct. SNAT is not about routing packets; it's for changing 
the source address of a packet.

> Could someone please point me in the right direction?  Or is this not possible?

What you want to do is possible but you'll need to employ source policy 
routing using the "ip" command. This isn't part of the netfilter 
project. In simple terms, you need to set up routes for each client 
IP/network and gateway you want to use.

The Linux Advanced Routing & Traffic Control HOWTO covers source policy 
routing among other things. The routing policy database section should 
get you on right track: http://lartc.org/howto/lartc.rpdb.html

HTH,
Menno



Scanned by the NetBox from NetBox Blue
(http://netboxblue.com/)

Re: Per-client routing, plus masquerading -- possible?

[Jeremy Elson]

On 3/22/06, Menno Smits <menno@netboxblue.com> wrote:
> > Could someone please point me in the right direction?  Or is this not possible?
>
> What you want to do is possible but you'll need to employ source policy
> routing using the "ip" command.

Thank you; this worked beautifully!

I have one more quick question: is there some way to get iptables -L
to show full rules?  It seems that there are some aspects of the rules
that exist but are not printed, such as the interface selected.  In
other words:  when I type a command like:

 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

... and then later check my work with iptables -t nat -L, it doesn't
show "tap0" anywhere.   I actually mistyped this as "eth" (without the
0) -- the original iptables command did not give me an error
(non-existant interface!), and the -L command didn't show me the error
:-(.

But, overall it works great.  Just for other people's reference: I
solved this using a combination of source policy routing using
iproute2 (the IP command), plus masquerading using iptables. 
Specifically:

Step 1 -- Give my gateway an inside address (GW_INSIDE) and an outside
address (GW_OUTSIDE)

Step 2 -- Give an inside client, with ip CLIENT1_IP, a default router
of GW_INSIDE

Step 3 --  ip rule add from CLIENT_IP table CLIENT1 prio 100

(CLIENT1 is the name of a routing table added to /etc/iproute2/rt_tables)

Step 4 -- ip route replace default table CLIENT1 via DESIRED_GATEWAY

In this case DESIRED_GATEWAY is the IP of the gateway I want CLIENT1
to use -- one of the real internet routers that's on the same network
as GW_OUTSIDE.

This almost works, except that DESIRED_GATEWAY ends up receiving
packets that have CLIENT_IP as a source IP, and the gateway has never
heard of that network.  So as the final piece, add masquerading using
iptables:

Step 5 --  iptables -t nat -A POSTROUTING -o outside0 -j MASQUERADE

where outside0 is the name of the outside interface, i.e. the one with
GW_OUTSIDE and DESIRED_GATEWAY on it.

Thanks.

Jeremy

Re: Per-client routing, plus masquerading -- possible?

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 1252 bytes --]


Hi Jeremy,

On Thu, Mar 23, 2006 at 01:35:20AM -0800, Jeremy Elson told us:
> I have one more quick question: is there some way to get iptables -L
> to show full rules?  It seems that there are some aspects of the rules
> that exist but are not printed, such as the interface selected.  In
> other words:  when I type a command like:
>
>  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

try

iptables -L -v

this will give you additional information about your rules!

> ... and then later check my work with iptables -t nat -L, it doesn't
> show "tap0" anywhere.   I actually mistyped this as "eth" (without the
> 0) -- the original iptables command did not give me an error
> (non-existant interface!), and the -L command didn't show me the error
> :-(.

I don't think iptables checks if the interface exists on rule
insertion time. Which makes sense in my opinion, so you can add
rules e.g. for device ppp0 (or even all devices beginning with 'ppp'
as expressed by 'ppp+') before the specific device has been created.

hope that helps!!


have a nice day :-)

Sven

--
Linux zion.homelinux.com 2.6.16-rc3-mm1_27 #27 Wed Feb 15 17:51:36 CET 2006 i686 athlon i386 GNU/Linux
 13:15:01 up 33 days, 17:30,  1 user,  load average: 0.18, 0.31, 0.46

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]

Re: Per-client routing, plus masquerading -- possible?

[Menno Smits]

Sven Schuster wrote:

> try
> 
> iptables -L -v
> 
> this will give you additional information about your rules!

Yep. -x and -n are also quite useful when viewing your configuration. 
"man iptables" is your friend.

> I don't think iptables checks if the interface exists on rule
> insertion time. Which makes sense in my opinion, so you can add
> rules e.g. for device ppp0 (or even all devices beginning with 'ppp'
> as expressed by 'ppp+') before the specific device has been created.

Agreed. Being able to insert rules for non-existent interfaces is 
definitely desirable and by design. It means rules can be in place 
before an interface comes up or even exists. This is highly useful from 
a security perspective and also provides flexibility about when you set 
up your firewall.

Menno




Scanned by the NetBox from NetBox Blue
(http://netboxblue.com/)

Re: Per-client routing, plus masquerading -- possible?

[Steven M Campbell]

Jeremy Elson wrote:
> [ Oops, sent this to netfilter-devel before I realized this list
> existed.  D'oh! ]
> 
> 
> Hi,
> 
> I'm trying to set up a Linux box as a NATting router.  But here's the
> trick: my box's external interface is on a LAN that has a whole bunch
> of next-hop routers on it, any of which can be used to access the
> Internet.  I'm trying to figure out how to configure iptables so that
> the NAT box selects the router to use based on client IP address
> (i.e., the IP address on the inside interface).
> 
> In other words -- I'd like ipfilter to keep the destination IP address
> unchanged, but select a next-hop destination (e.g., by changing the
> destination MAC address) based on the source IP.   And, on top of all
> this, mangle the source address according to normal masquerading.
> 
> I've been tinkering with a command like this:
> 
> iptables -t nat -A POSTROUTING -i $INTERNAL_CLIENT_IP -o
> external-iface0 -j SNAT --to $EXTERNAL_ROUTER_IP
> 
> ...but it seems that --to controls the new source address given to the
> packet (i.e., the router's outside-interface IP), and not the
> destination to which the NATted packet is sent.
> 
> Could someone please point me in the right direction?  Or is this not possible?
> 
> Thanks!
> 
> --Jeremy
> 

You just want do to source routing, look here

http://www.linuxguruz.com/iptables/howto/2.4routing-4.html#ss4.1