* MAC Address masking/NAT
@ 2008-10-17 6:13 Timothy Toole
2008-10-17 17:15 ` Grant Taylor
2008-10-18 2:52 ` Timothy Toole
0 siblings, 2 replies; 5+ messages in thread
From: Timothy Toole @ 2008-10-17 6:13 UTC (permalink / raw)
To: netfilter
Hello,
Apparently, I'm just not getting some of the tables and chains
concepts enough to make the following scenario work. Any help would be
greatly appreciated.
I have a bridge setup between two computer systems. To be more
detailed, the bridge (br0) is setup on a Linksys WRT54GL across two of
the switch ports that have been VLAN tagged (eth0.1 and eth0.2). In
this setup, Host A and Host B communicate as expected.
What I'd like to do is use iptables or ebtables to.... change the MAC
address of Host B as packets traverse the bridge. Host A will only see
the "changed" MAC address, not the actual one of Host B.
Here's a lame ascii art diagram:
____________________
| |
| br0 |
| |
| eth0.1 eth0.2 |
|__/______________\__|
/ \
/ \ <--- Translate MAC to
/ \ 11:11:11:22:22:22
/ \
/ \
___|___ ___|___
| | | |
| A | | B |
|_______| |_______|
MAC: 00:11:22:33:44:55 MAC:55:44:33:22:11:00
Can this be done? Also, if I don't know the MAC address of either
host, can a rule be written as a "catch-all" to change any MAC that's
plugged in?
Many Thanks.
-tim
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: MAC Address masking/NAT
2008-10-17 6:13 MAC Address masking/NAT Timothy Toole
@ 2008-10-17 17:15 ` Grant Taylor
2008-10-18 2:52 ` Timothy Toole
1 sibling, 0 replies; 5+ messages in thread
From: Grant Taylor @ 2008-10-17 17:15 UTC (permalink / raw)
To: Mail List - Netfilter
On 10/17/08 01:13, Timothy Toole wrote:
> What I'd like to do is use iptables or ebtables to.... change the MAC
> address of Host B as packets traverse the bridge. Host A will only see
> the "changed" MAC address, not the actual one of Host B.
>
> Here's a lame ascii art diagram:
>
> ____________________
> | |
> | br0 |
> | |
> | eth0.1 eth0.2 |
> |__/______________\__|
> / \
> / \ <--- Translate MAC to
> / \ 11:11:11:22:22:22
> / \
> / \
> ___|___ ___|___
> | | | |
> | A | | B |
> |_______| |_______|
> MAC: 00:11:22:33:44:55 MAC:55:44:33:22:11:00
>
> Can this be done? Also, if I don't know the MAC address of either
> host, can a rule be written as a "catch-all" to change any MAC that's
> plugged in?
Yes this can. I think you will be doing most of this work in EBTables
rather than IPTables. (IPTables can be made to work with ethernet
frames, but it is nicer to use EBTables which does it directly. Proper
tool for the job and all.)
You can easily use EBTables to (S)NAT the frames ethernet MAC address.
As far as the catch all rule, you would have to use rules to act on the
/known/ systems and then another ""catch all rule to act on /unknown/
systems.
If you need more help, just ask. Though the EBTables mailing list might
be a more appropriate and better place to get more help.
> Many Thanks.
*nod*
Grant. . . .
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: MAC Address masking/NAT
2008-10-17 6:13 MAC Address masking/NAT Timothy Toole
2008-10-17 17:15 ` Grant Taylor
@ 2008-10-18 2:52 ` Timothy Toole
2008-10-18 19:49 ` Grant Taylor
2008-10-18 23:22 ` Timothy Toole
1 sibling, 2 replies; 5+ messages in thread
From: Timothy Toole @ 2008-10-18 2:52 UTC (permalink / raw)
To: netfilter
> You can easily use EBTables to (S)NAT the frames ethernet MAC address.
I've tried the following two rules (independently):
# ebtables -t nat -A POSTROUTING -j snat --to-src 11:11:11:22:22:22 --snat-arp
and
# ebtables -t nat -A POSTROUTING -j snat --to-src 11:11:11:22:22:22
--snat-arp -s 55:44:33:22:11:00
The result is that the traffic destined to Host A has the "new/faked"
MAC address, but the return traffic back to Host B still has the faked
address (and thus is ignored by the host).
Does a corresponding DNAT rule need to be made in the PREROUTING nat chain?
> If you need more help, just ask. Though the EBTables mailing list might
> be a more appropriate and better place to get more help.
Whoops. The ebtables project page states to post questions to the
netfilter list (http://ebtables.sourceforge.net/contact.html)
Thanks again.
-tim
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: MAC Address masking/NAT
2008-10-18 2:52 ` Timothy Toole
@ 2008-10-18 19:49 ` Grant Taylor
2008-10-18 23:22 ` Timothy Toole
1 sibling, 0 replies; 5+ messages in thread
From: Grant Taylor @ 2008-10-18 19:49 UTC (permalink / raw)
To: Mail List - Netfilter
On Fri, October 17, 2008 21:52, Timothy Toole wrote:
> I've tried the following two rules (independently):
> # ebtables -t nat -A POSTROUTING -j snat --to-src 11:11:11:22:22:22
--snat-arp
> and
> # ebtables -t nat -A POSTROUTING -j snat --to-src 11:11:11:22:22:22
--snat-arp -s 55:44:33:22:11:00
>
> The result is that the traffic destined to Host A has the "new/faked"
MAC address, but the return traffic back to Host B still has the faked
address (and thus is ignored by the host).
>
> Does a corresponding DNAT rule need to be made in the PREROUTING nat
chain?
Hum... Let me think about this / look through notes / get more sleep
(currently 3 hours in the last 36) and get back with you. However in my
current sleep deprived state, you may indeed have to DNAT traffic.
> Whoops. The ebtables project page states to post questions to the
netfilter list (http://ebtables.sourceforge.net/contact.html)
*Whaa???*
That's news to me. I've been an active subscribed member to the EBTables
list (answering questions like a good little Tux) for three or more years
and I had absolutely no idea that the mailing lists were deprecated. That
explains the lack of traffic of late and why messages like yours have
appeared here on the IPTables mailing list.
> Thanks again.
*nod*
More sleep and I'll try to give a better answer.
Grant. . . .
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: MAC Address masking/NAT
2008-10-18 2:52 ` Timothy Toole
2008-10-18 19:49 ` Grant Taylor
@ 2008-10-18 23:22 ` Timothy Toole
1 sibling, 0 replies; 5+ messages in thread
From: Timothy Toole @ 2008-10-18 23:22 UTC (permalink / raw)
To: netfilter
I think I found the solution (at least it works in my case). Not sure
why I couldn't figure this out earlier, it's actually quite simple.
Any packet with a source MAC address that we want to change needs a
rule, and any packet destined to out fake MAC address needs another
rule.
Starting again with the network diagram:
____________________
| |
| br0 |
| |
| eth0.1 eth0.2 |
|__/______________\__|
/ \
/ \ <--- Translate MAC to
/ \ 11:11:11:22:22:22
/ \
/ \
___|___ ___|___
| | | |
| A | | B |
|_______| |_______|
MAC: 00:11:22:33:44:55 MAC:55:44:33:22:11:00
We need to add two rules. The first rule will change the [real] source
MAC address to the new/faked MAC address.
# ebtables -t nat -A POSTROUTING -j snat -s 55:44:33:22:11:00 --to-src
11:11:11:22:22:22 --snat-arp
The second rule will change the any of the faked MAC address back into
the real one.
# ebtables -t nat -A PREROUTING -j dnat -d 11:11:11:22:22:22
--to-destination 55:44:33:22:11:00
Thanks to all that responded with help.
-tim
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2008-10-18 23:22 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-10-17 6:13 MAC Address masking/NAT Timothy Toole
2008-10-17 17:15 ` Grant Taylor
2008-10-18 2:52 ` Timothy Toole
2008-10-18 19:49 ` Grant Taylor
2008-10-18 23:22 ` Timothy Toole
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.