how to change ip source address of incoming packets

All of lore.kernel.org
 help / color / mirror / Atom feed

* how to change ip source address of incoming packets
@ 2006-11-15  7:15 Matevz Langus
  2006-11-15  8:13 ` Gáspár Lajos
  0 siblings, 1 reply; 5+ messages in thread
From: Matevz Langus @ 2006-11-15  7:15 UTC (permalink / raw)
  To: netfilter

Does anyone know how to change ip source address when entering Linux  
interface to something else and when leaving out the same interface  
(backwards) changing it back.

The problem is this:

I have 10 devices with the same IP address, 192.168.1.1. They are  
connected to ethernet switch, which adds VLAN TAG to packets from  
each device. Linux box is connected to the switch. It is possible to  
create 10 VLAN interfaces on the Linux box and only one 192.168.1.1  
address will be seen per interface. In order to establish TCP  
connections to all devices at the same time, source address must be  
altered.

on eth0.10, INPUT SRC 192.168.1.1 -> 192.168.10.1
on eth0.10, OUTPUT DST 192.168.10.1 -> 192.168.1.1
on eth0.11, INPUT SRC 192.168.1.1 -> 192.168.11.1
on eth0.11, OUTPUT DST 192.168.11.1 -> 192.168.1.1
...

thanks,
   Matevz Langus

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: how to change ip source address of incoming packets
  2006-11-15  7:15 how to change ip source address of incoming packets Matevz Langus
@ 2006-11-15  8:13 ` Gáspár Lajos
  2006-11-15  8:25   ` Matevz Langus
  0 siblings, 1 reply; 5+ messages in thread
From: Gáspár Lajos @ 2006-11-15  8:13 UTC (permalink / raw)
  To: Matevz Langus; +Cc: netfilter



Matevz Langus írta:
> Does anyone know how to change ip source address when entering Linux 
> interface to something else and when leaving out the same interface 
> (backwards) changing it back.
>
> The problem is this:
>
> I have 10 devices with the same IP address, 192.168.1.1. They are 
> connected to ethernet switch, which adds VLAN TAG to packets from each 
> device. Linux box is connected to the switch. It is possible to create 
> 10 VLAN interfaces on the Linux box and only one 192.168.1.1 address 
> will be seen per interface. In order to establish TCP connections to 
> all devices at the same time, source address must be altered.
>
> on eth0.10, INPUT SRC 192.168.1.1 -> 192.168.10.1
> on eth0.10, OUTPUT DST 192.168.10.1 -> 192.168.1.1
> on eth0.11, INPUT SRC 192.168.1.1 -> 192.168.11.1
> on eth0.11, OUTPUT DST 192.168.11.1 -> 192.168.1.1
> ...
>
Try this :

iptables -t nat -A POSTROUTING -j SNAT -i eth0.10 -s 192.168.1.1 
--to-source 192.168.10.1
iptables -t nat -A PREROUTING -j DNAT -o eth0.10 -d 192.168.10.1 
--to-destination 192.168.1.1
> thanks,
>   Matevz Langus
>
>
Swifty



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: how to change ip source address of incoming packets
  2006-11-15  8:13 ` Gáspár Lajos
@ 2006-11-15  8:25   ` Matevz Langus
  2006-11-15  9:31     ` Gáspár Lajos
  0 siblings, 1 reply; 5+ messages in thread
From: Matevz Langus @ 2006-11-15  8:25 UTC (permalink / raw)
  To: Gáspár Lajos; +Cc: netfilter

To easy to be true. Tried this one already. I get this:

iptables v1.3.5: Can't use -i with POSTROUTING

Matevz

On Nov 15, 2006, at 9:13 AM, Gáspár Lajos wrote:

> iptables -t nat -A POSTROUTING -j SNAT -i eth0.10 -s 192.168.1.1 -- 
> to-source 192.168.10.1



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: how to change ip source address of incoming packets
  2006-11-15  8:25   ` Matevz Langus
@ 2006-11-15  9:31     ` Gáspár Lajos
  2006-11-15  9:35       ` Gáspár Lajos
  0 siblings, 1 reply; 5+ messages in thread
From: Gáspár Lajos @ 2006-11-15  9:31 UTC (permalink / raw)
  To: Matevz Langus; +Cc: netfilter

Matevz Langus írta:
> To easy to be true. Tried this one already. I get this:
>
> iptables v1.3.5: Can't use -i with POSTROUTING
>
:-D Right :-D
Okay, then try this:

iptables -t mangle -A PREROUTING -j CONNMARK -i eth0.10 -s 192.168.1.1 
-d $firewal_virtual_ip_on_10 --set-mark 1
iptables -t mangle -A PREROUTING -j CONNMARK -i eth0.11 -s 192.168.1.1 
-d $firewal_virtual_ip_on_11 --set-mark 2
...
iptables -t nat -A PREROUTING -j DNAT -m connmark --mark 1 
--to-destination $firewal_real_ip_on_10
iptables -t nat -A PREROUTING -j DNAT -m connmark --mark 2 
--to-destination $firewal_real_ip_on_11
...


iptables -t mangle -A OUTPUT -j CONNMARK -d 192.168.10.1 --set-mark 1
iptables -t mangle -A OUTPUT -j CONNMARK -d 192.168.11.1 --set-mark 2
...

iptables -t nat -A OUTPUT -j DNAT -m mark ! --mark 0 --to-destination 
192.168.1.1

iptables -t mangle -A POSTROUTING -j ROUTE -m mark --mark 1 --oif  eth0.10
iptables -t mangle -A POSTROUTING -j ROUTE -m mark --mark 2 --oif  eth0.11
...
iptables -t nat -A POSTROUTING -j SNAT -m mark --mark 1 --to-source 
$firewal_virtual_ip_on_10
iptables -t nat -A POSTROUTING -j SNAT -m mark --mark 2 --to-source 
$firewal_virtual_ip_on_12
...

With this scenario the devices on the VLANs can only talk to the firewall...

> Matevz
>
> On Nov 15, 2006, at 9:13 AM, Gáspár Lajos wrote:
>
>> iptables -t nat -A POSTROUTING -j SNAT -i eth0.10 -s 192.168.1.1 
>> --to-source 192.168.10.1
>
>



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: how to change ip source address of incoming packets
  2006-11-15  9:31     ` Gáspár Lajos
@ 2006-11-15  9:35       ` Gáspár Lajos
  0 siblings, 0 replies; 5+ messages in thread
From: Gáspár Lajos @ 2006-11-15  9:35 UTC (permalink / raw)
  To: Matevz Langus; +Cc: netfilter

Sorry...
Not mark... connmark...

iptables -t mangle -A PREROUTING -j CONNMARK -i eth0.10 -s 192.168.1.1 
-d $firewal_virtual_ip_on_10 --set-mark 1
iptables -t mangle -A PREROUTING -j CONNMARK -i eth0.11 -s 192.168.1.1 
-d $firewal_virtual_ip_on_11 --set-mark 2
...
iptables -t nat -A PREROUTING -j DNAT -m connmark --mark 1 
--to-destination $firewal_real_ip_on_10
iptables -t nat -A PREROUTING -j DNAT -m connmark --mark 2 
--to-destination $firewal_real_ip_on_11
...

iptables -t mangle -A OUTPUT -j CONNMARK -d 192.168.10.1 --set-mark 1
iptables -t mangle -A OUTPUT -j CONNMARK -d 192.168.11.1 --set-mark 2
...

iptables -t nat -A OUTPUT -j DNAT -m connmark ! --mark 0 
--to-destination 192.168.1.1

iptables -t mangle -A POSTROUTING -j ROUTE -m connmark --mark 1 --oif  
eth0.10
iptables -t mangle -A POSTROUTING -j ROUTE -m connmark --mark 2 --oif  
eth0.11
...
iptables -t nat -A POSTROUTING -j SNAT -m connmark --mark 1 --to-source 
$firewal_virtual_ip_on_10
iptables -t nat -A POSTROUTING -j SNAT -m connmark --mark 2 --to-source 
$firewal_virtual_ip_on_12
...



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2006-11-15  9:35 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-15  7:15 how to change ip source address of incoming packets Matevz Langus
2006-11-15  8:13 ` Gáspár Lajos
2006-11-15  8:25   ` Matevz Langus
2006-11-15  9:31     ` Gáspár Lajos
2006-11-15  9:35       ` Gáspár Lajos

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.