Redirecting traffic from a non-existent IP

Redirecting traffic from a non-existent IP

[Julian Hagenauer]

Hi,
i am running Linux 2.6.11.12-xen0 (binary distribution).
I want to route all Traffic destined to 192.168.1.5 to 192.168.1.3.
192.168.1.5 is a non-existent IP/host, 192.168.1.3 is a Xen-VM running 
on localhost, so 192.168.1.5 should act as a kind of alias for 
192.168.1.3 and be accessible from localhost.
The following modules are loaded:

Module                  Size  Used by
iptable_filter          2432  0 
iptable_nat            19932  1 
ip_conntrack           38712  1 iptable_nat
ip_tables              20352  2 iptable_filter,iptable_nat
intel_agp              20124  1 
agpgart                28968  1 intel_agp


I wrote and ran the following script on localhost:

#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
MAP_FROM=192.168.1.5 # virtuelle IP
MAP_TO=192.168.1.3 # IP einer VM
iptables -t nat -F
echo "Mappe $MAP_FROM nach $MAP_TO..."
iptables -t nat -A PREROUTING -d $MAP_FROM -j DNAT --to $MAP_TO
echo "Aktuelle Nat-Regeln:"
iptables -t nat -L

But ping 192.168.1.5 or ssh 192.168.1.5 still does not work.
I have no clue what's wrong.

Sincerely,
Julian

RE: Redirecting traffic from a non-existent IP

[Sietse van Zanen]

Hmmm, this reminds me of a Dukes of Hazard quote:
Why do something simple, if you can do it the hard way.....


Why not add 192.168.1.5 as secondary IP to your machine?


Otherwise, you are probably acking a static published ARP for
192.168.1.5

-Sietse

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Julian
Hagenauer
Sent: Monday, June 05, 2006 1:28 PM
To: netfilter@lists.netfilter.org
Subject: Redirecting traffic from a non-existent IP 

Hi,
i am running Linux 2.6.11.12-xen0 (binary distribution).
I want to route all Traffic destined to 192.168.1.5 to 192.168.1.3.
192.168.1.5 is a non-existent IP/host, 192.168.1.3 is a Xen-VM running 
on localhost, so 192.168.1.5 should act as a kind of alias for 
192.168.1.3 and be accessible from localhost.
The following modules are loaded:

Module                  Size  Used by
iptable_filter          2432  0 
iptable_nat            19932  1 
ip_conntrack           38712  1 iptable_nat
ip_tables              20352  2 iptable_filter,iptable_nat
intel_agp              20124  1 
agpgart                28968  1 intel_agp


I wrote and ran the following script on localhost:

#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
MAP_FROM=192.168.1.5 # virtuelle IP
MAP_TO=192.168.1.3 # IP einer VM
iptables -t nat -F
echo "Mappe $MAP_FROM nach $MAP_TO..."
iptables -t nat -A PREROUTING -d $MAP_FROM -j DNAT --to $MAP_TO
echo "Aktuelle Nat-Regeln:"
iptables -t nat -L

But ping 192.168.1.5 or ssh 192.168.1.5 still does not work.
I have no clue what's wrong.

Sincerely,
Julian

Re: Redirecting traffic from a non-existent IP

[Pascal Hambourg]

Hello,

Julian Hagenauer a écrit :
> Hi,
> i am running Linux 2.6.11.12-xen0 (binary distribution).
> I want to route all Traffic destined to 192.168.1.5 to 192.168.1.3.
> 192.168.1.5 is a non-existent IP/host, 192.168.1.3 is a Xen-VM running 
> on localhost, so 192.168.1.5 should act as a kind of alias for 
> 192.168.1.3 and be accessible from localhost.
[...]
> iptables -t nat -A PREROUTING -d $MAP_FROM -j DNAT --to $MAP_TO
> echo "Aktuelle Nat-Regeln:"
> iptables -t nat -L
> 
> But ping 192.168.1.5 or ssh 192.168.1.5 still does not work.
> I have no clue what's wrong.

I guess the problem is ARP. If nothing replies to the ARP requests for 
192.168.1.5 sent by th host which want to send a packet to this address, 
then IP packets for this destination aren't even sent (that should 
produce Host Unreachable error messages).

Possible workarounds :
- set up some ARP daemon on the network that will reply for 192.168.1.3
- set a static ARP entry in the senders' ARP table (heavy)
- set a static route to 192.168.1.5 with gateway 192.168.1.3 (I know, 
that's ugly)
- maybe it is possible to use arptables on the NAT box to make it reply 
to the ARP requests (I don't know anything about this)

I guess IP aliasing is not an option.

RE: Redirecting traffic from a non-existent IP

[Eliot, Wireless and Server Administrator, Great Lakes Internet]

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Julian Hagenauer
> Sent: Monday, June 05, 2006 7:28 AM
> To: netfilter@lists.netfilter.org
> Subject: Redirecting traffic from a non-existent IP
> 
> Hi,
> i am running Linux 2.6.11.12-xen0 (binary distribution).
> I want to route all Traffic destined to 192.168.1.5 to 192.168.1.3.
> 192.168.1.5 is a non-existent IP/host, 192.168.1.3 is a Xen-VM running
> on localhost, so 192.168.1.5 should act as a kind of alias for
> 192.168.1.3 and be accessible from localhost.
> The following modules are loaded:
> 
> Module                  Size  Used by
> iptable_filter          2432  0
> iptable_nat            19932  1
> ip_conntrack           38712  1 iptable_nat
> ip_tables              20352  2 iptable_filter,iptable_nat
> intel_agp              20124  1
> agpgart                28968  1 intel_agp
> 
> 
> I wrote and ran the following script on localhost:
> 
> #!/bin/bash
> echo 1 > /proc/sys/net/ipv4/ip_forward
> MAP_FROM=192.168.1.5 # virtuelle IP
> MAP_TO=192.168.1.3 # IP einer VM
> iptables -t nat -F
> echo "Mappe $MAP_FROM nach $MAP_TO..."
> iptables -t nat -A PREROUTING -d $MAP_FROM -j DNAT --to $MAP_TO
> echo "Aktuelle Nat-Regeln:"
> iptables -t nat -L
> 
> But ping 192.168.1.5 or ssh 192.168.1.5 still does not work.
> I have no clue what's wrong.
> 

Well, unless something is answering ARP requests on 192.168.1.5, your
other hosts have no idea which layer 2 address to direct their traffic
to. Why not just add that address as a secondary address on your box:

ip addr add 192.168.1.5/24 dev eth1

That seems like a much simpler solution. 
 
Eliot Gable
Certified Wireless Network Administrator (CWNA)
Certified Wireless Security Professional (CWSP)
Cisco Certified Network Associate (CCNA)
CompTIA Security+ Certified
CompTIA Network+ Certified
Network and System Engineer
Great Lakes Internet, Inc.
112 North Howard
Croswell, MI 48422
(810) 679-3395
(877) 558-8324
 
Now offering Broadband Wireless Internet access in Croswell, Lexington,
Brown City, Yale, Worth Township, and Sandusky. Call for details.

RE: Redirecting traffic from a non-existent IP

[Eliot, Wireless and Server Administrator, Great Lakes Internet]

> -----Original Message-----
> From: Julian Hagenauer [mailto:chaosbringer@gmx.de]
> Sent: Monday, June 05, 2006 9:37 AM
> To: Eliot, Wireless and Server Administrator, Great Lakes Internet
> Subject: Re: Redirecting traffic from a non-existent IP
> 
> 
> >Well, unless something is answering ARP requests on 192.168.1.5, your
> >other hosts have no idea which layer 2 address to direct their
traffic
> >to. Why not just add that address as a secondary address on your box:
> >
> >ip addr add 192.168.1.5/24 dev eth1
> >
> >That seems like a much simpler solution.
> >
> >Eliot Gable
> >Certified Wireless Network Administrator (CWNA)
> >Certified Wireless Security Professional (CWSP)
> >Cisco Certified Network Associate (CCNA)
> >CompTIA Security+ Certified
> >CompTIA Network+ Certified
> >Network and System Engineer
> >Great Lakes Internet, Inc.
> >112 North Howard
> >Croswell, MI 48422
> >(810) 679-3395
> >(877) 558-8324
> >
> >Now offering Broadband Wireless Internet access in Croswell,
Lexington,
> >Brown City, Yale, Worth Township, and Sandusky. Call for details.
> >
> >
> >
> >
> Hi,
> secondary adresses are unfortunately no option for me.
> I want to transparently and frequently exchange two xen VMs (acting as
> server) without a noticeable downtime during the exchange. So my idea
> was to bring up both vms and simply change the iptables to switch from
> one vm to the other.
> If anybody has an idea how i can realize that in a better way: tell me
:-)

Why not use a protocol that is meant for that then? For instance,
Virtual Router Redundancy Protocol. Using VRRP, you can create a virtual
IP address that is shared between two machines. One machine hosts the IP
until it fails or goes offline. At that point, the other machine takes
over. You can configure it so that when the master machine comes back
online either it takes over the IP again, or you could have it stay on
the slave machine until you manually tell it to switch back. Check into
the VRRP daemon offered by ImageStream or check out UCARP. 

Also, you may want to consider using the CLUSTERIP target in Netfilter
and the Linux Kernel. 

 
Eliot Gable
Certified Wireless Network Administrator (CWNA)
Certified Wireless Security Professional (CWSP)
Cisco Certified Network Associate (CCNA)
CompTIA Security+ Certified
CompTIA Network+ Certified
Network and System Engineer
Great Lakes Internet, Inc.
112 North Howard
Croswell, MI 48422
(810) 679-3395
(877) 558-8324
 
Now offering Broadband Wireless Internet access in Croswell, Lexington,
Brown City, Yale, Worth Township, and Sandusky. Call for details.