Per-client NAT routing -- possible?

Per-client NAT routing -- possible?

[Jeremy Elson]

Hi,

I'm trying to set up a Linux box as a NATting router.  But here's the
trick: my box's external interface is on a LAN that has a whole bunch
of routers on it, any of which can be used to access the Internet. 
I'm trying to figure out how to configure iptables so that the NAT box
selects the router to use based on client IP address (i.e., the IP
address on the inside interface).

I've been tinkering with a command like this:

iptables -t nat -A POSTROUTING -i $INTERNAL_CLIENT_IP -o
external-iface0 -j SNAT --to $EXTERNAL_ROUTER_IP

...but it seems that --to controls the new source address given to the
packet (i.e., the router's outside-interface IP), and not the
destination to which the NATted packet is sent.

Could someone please point me in the right direction?  Or is this not possible?

Thanks!

--Jeremy

Per-client NAT routing -- possible?

[Jeremy Elson]

[ Sent before I subscribed - I think it was silently dropped. 
Apologies if you get 2. ]


Hi,

I'm trying to set up a Linux box as a NATting router.  But here's the
trick: my box's external interface is on a LAN that has a whole bunch
of routers on it, any of which can be used to access the Internet.
I'm trying to figure out how to configure iptables so that the NAT box
selects the router to use based on client IP address (i.e., the IP
address on the inside interface).

I've been tinkering with a command like this:

iptables -t nat -A POSTROUTING -i $INTERNAL_CLIENT_IP -o
external-iface0 -j SNAT --to $EXTERNAL_ROUTER_IP

...but it seems that --to controls the new source address given to the
packet (i.e., the router's outside-interface IP), and not the
destination to which the NATted packet is sent.

Could someone please point me in the right direction?  Or is this not possible?

Thanks!

--Jeremy

Re: Per-client NAT routing -- possible?

[Amin Azez]

Jeremy Elson wrote:
> [ Sent before I subscribed - I think it was silently dropped. 
> Apologies if you get 2. ]
> 
> 
> Hi,
> 
> I'm trying to set up a Linux box as a NATting router.  But here's the
> trick: my box's external interface is on a LAN that has a whole bunch
> of routers on it, any of which can be used to access the Internet.
> I'm trying to figure out how to configure iptables so that the NAT box
> selects the router to use based on client IP address (i.e., the IP
> address on the inside interface).
> 
> I've been tinkering with a command like this:
> 
> iptables -t nat -A POSTROUTING -i $INTERNAL_CLIENT_IP -o
> external-iface0 -j SNAT --to $EXTERNAL_ROUTER_IP
> 
> ...but it seems that --to controls the new source address given to the
> packet (i.e., the router's outside-interface IP), and not the
> destination to which the NATted packet is sent.
> 
> Could someone please point me in the right direction?  Or is this not possible?

I think you can use ipt_route to select the output gateway or interface, 
NAT should then work after that.

Sam

Re: Per-client NAT routing -- possible?

[Patrick McHardy]

Amin Azez wrote:
> Jeremy Elson wrote:
> 
>> [ Sent before I subscribed - I think it was silently dropped.
>> Apologies if you get 2. ]
>>
>>
>> Hi,
>>
>> I'm trying to set up a Linux box as a NATting router.  But here's the
>> trick: my box's external interface is on a LAN that has a whole bunch
>> of routers on it, any of which can be used to access the Internet.
>> I'm trying to figure out how to configure iptables so that the NAT box
>> selects the router to use based on client IP address (i.e., the IP
>> address on the inside interface).
>>
>> I've been tinkering with a command like this:
>>
>> iptables -t nat -A POSTROUTING -i $INTERNAL_CLIENT_IP -o
>> external-iface0 -j SNAT --to $EXTERNAL_ROUTER_IP
>>
>> ...but it seems that --to controls the new source address given to the
>> packet (i.e., the router's outside-interface IP), and not the
>> destination to which the NATted packet is sent.
>>
>> Could someone please point me in the right direction?  Or is this not
>> possible?
> 
> 
> I think you can use ipt_route to select the output gateway or interface,
> NAT should then work after that.

That sounds rather hackish. The normal way to do something like that
is to use normal multipath routes and, if NAT to different IPs needs
to be used, CONNMARK to bind connections to one of the paths.

Re: Per-client NAT routing -- possible?

[Amin Azez]

Patrick McHardy wrote:

> Amin Azez wrote:
> 
>>>Could someone please point me in the right direction?  Or is this not
>>>possible?
>>
>>
>>I think you can use ipt_route to select the output gateway or interface,
>>NAT should then work after that.
> 
> 
> That sounds rather hackish. The normal way to do something like that
> is to use normal multipath routes and, if NAT to different IPs needs
> to be used, CONNMARK to bind connections to one of the paths.

Respecting your experience and acknowledging my ignorance, but THAT 
seems like the hacky way to me. I realise most of the world thinks I'm 
wrong, I merely offer this insight into the strangeness of the "other" 
persons mind.

I guess I do it this way because I do a lot of bridging.

Sam

Re: Per-client NAT routing -- possible?

[Patrick McHardy]

Amin Azez wrote:
> Patrick McHardy wrote:
> 
>> Amin Azez wrote:
>>
>>>> Could someone please point me in the right direction?  Or is this not
>>>> possible?
>>>
>>>
>>>
>>> I think you can use ipt_route to select the output gateway or interface,
>>> NAT should then work after that.
>>
>>
>>
>> That sounds rather hackish. The normal way to do something like that
>> is to use normal multipath routes and, if NAT to different IPs needs
>> to be used, CONNMARK to bind connections to one of the paths.
> 
> 
> Respecting your experience and acknowledging my ignorance, but THAT
> seems like the hacky way to me. I realise most of the world thinks I'm
> wrong, I merely offer this insight into the strangeness of the "other"
> persons mind.
> 
> I guess I do it this way because I do a lot of bridging.

I guess its a matter of taste which way you prefer, but one argument
against the route target is that it replicates lots of code from
the IP layer, which is never a good idea and most likely already
out of date. From a short look, it seems like it doesn't work with
IPsec for example.

Re: Per-client NAT routing -- possible?

[Guy Martin]

Jeremy,


I got similar thing running here :

I first create one routing table per gateway. Each table contains only the default gateway :

caesar ~ # ip ro sh ta 20
default via 172.17.0.2 dev eth4 
caesar ~ #
And the same for each gw.


Then I create routing rules based on the fw mark :

caesar ~ # ip ru
0:      from all lookup local
10:     from all lookup main
20:     from all fwmark 0x2 lookup 20 
30:     from all fwmark 0x3 lookup 30 
40:     from all fwmark 0x4 lookup 40 
32766:  from all lookup main 
32767:  from all lookup default 
caesar ~ # 

The order is important ! You must have the main table before the others at prio 10 for example to avoid problems with your lan.
Also, don't put a default route in the main table as it will get everything routed to this route. Instead, put your default route in the default table.


Then in iptables you simply mark the packets where you want them to be sent. The CONNMARK is used to match connection coming from those gateways. This allow the router to remember where the connection comes from and send subsequent packets from the reverse direction to the right router.

caesar ~ # iptables -L -v -n -t mangle
Chain PREROUTING (policy ACCEPT 162M packets, 120G bytes)
 pkts bytes target     prot opt in     out     source               destination         
 380M  288G CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK restore 
 218M  168G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match !0x0 
2413K  147M from_playa  all  --  *      *       172.18.0.11          0.0.0.0/0           /* Packets from playa -> beta-site */ 
 7686  584K MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           /* NTP -> ADSL */ udp dpt:123 MARK set 0x4 
 1659 98108 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           /* SMTP -> ADSL */ tcp dpt:25 MARK set 0x4 
   35  2080 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           /* DNS/tcp -> ADSL */ tcp dpt:53 MARK set 0x4 
 118K 8903K MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           /* DNS/udp -> ADSL */ udp dpt:53 MARK set 0x4 
    0     0 MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           /* IAX -> ADSL */ udp dpt:4568 MARK set 0x4 
 176K   12M MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC 00:90:27:0A:8C:C6 MARK set 0x2 
1525K   77M MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC 00:10:A7:08:F8:E9 MARK set 0x3 
 3726  351K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MAC 00:12:D9:AE:0C:F7 MARK set 0x4 
 162M  120G CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           CONNMARK save 

Chain from_playa (1 references)
 pkts bytes target     prot opt in     out     source               destination         
2432K  171M MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK set 0x3 
    7   420 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:873 MARK set 0x4 
2432K  171M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0  

This match per host, per port or whatever you want.


HTH,
  Guy


On Wed, 22 Mar 2006 18:49:36 -0800
"Jeremy Elson" <jelson@gmail.com> wrote:

> [ Sent before I subscribed - I think it was silently dropped. 
> Apologies if you get 2. ]
> 
> 
> Hi,
> 
> I'm trying to set up a Linux box as a NATting router.  But here's the
> trick: my box's external interface is on a LAN that has a whole bunch
> of routers on it, any of which can be used to access the Internet.
> I'm trying to figure out how to configure iptables so that the NAT box
> selects the router to use based on client IP address (i.e., the IP
> address on the inside interface).
> 
> I've been tinkering with a command like this:
> 
> iptables -t nat -A POSTROUTING -i $INTERNAL_CLIENT_IP -o
> external-iface0 -j SNAT --to $EXTERNAL_ROUTER_IP
> 
> ...but it seems that --to controls the new source address given to the
> packet (i.e., the router's outside-interface IP), and not the
> destination to which the NATted packet is sent.
> 
> Could someone please point me in the right direction?  Or is this not possible?
> 
> Thanks!
> 
> --Jeremy
> 


-- 
Guy Martin
Gentoo Linux - HPPA port Lead / IPv6 team

Re: Per-client NAT routing -- possible?

[Oskar Berggren]

On Wed, 2006-03-22 at 09:16 -0800, Jeremy Elson wrote:
> Hi,
> 
> I'm trying to set up a Linux box as a NATting router.  But here's the
> trick: my box's external interface is on a LAN that has a whole bunch
> of routers on it, any of which can be used to access the Internet. 
> I'm trying to figure out how to configure iptables so that the NAT box
> selects the router to use based on client IP address (i.e., the IP
> address on the inside interface).


It sounds like you need policy routing (multiple routing tables).

/Oskar

-- 
Oskar Berggren <beo@sgs.o.se>