* Re: [LARTC] SNAT based on MAC before routing
2002-11-20 19:09 [LARTC] SNAT based on MAC before routing Eduard Calvo (B-teljpa) EXP JAN 03
@ 2002-11-20 19:25 ` Ramin Alidousti
2002-11-21 9:08 ` Eduard Calvo (B-teljpa) EXP JAN 03
2002-11-24 0:40 ` Filip Sneppe
2 siblings, 0 replies; 4+ messages in thread
From: Ramin Alidousti @ 2002-11-20 19:25 UTC (permalink / raw)
To: lartc
As far as I know you cannot do SNAT in PREROUTING.
If I understand your situation correctly what you can do
is to mark the packets like you do below and route them
with iproute2 according to that mark and at the very
end of the packet flow in your linux box you can SNAT based
on the MAC:
1) When the packet arrives:
iptables -t mangle -A PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX -j MARK --set-mark 1
2) Use the mark to route the packet through the right interface:
ip rule add fwmark 1 table 7
3) SNAT the packet right before it leaves the linux box:
iptables -t nat -A POSTROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX -j SNAT --to a.b.c.d
Ramin
On Wed, Nov 20, 2002 at 08:09:17PM +0100, Eduard Calvo (B-teljpa) EXP JAN 03 wrote:
>
> Hi gurus,
>
> I need a way to do SNAT based on source mac before routing. This is because
> hosts attached to my gateway can have duplicate IP addresses, and I have to
> distinguish over them.
>
> I tried to use the nat tool that comes with iproute2, but this force to make
> a mapping only address to address, and I wanted to do it by mark (I also use
> iptables to do that). For example, I tried to do that:
>
> iptables -t mangle -A PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX -j
> MARK --set-mark 1
> ip rule add fwmark 1 nat to a.b.c.d lookup table <table>
>
> And so I also did:
>
> ip route add nat a.b.c.d via e.f.g.h
> (where e.f.g.h. is the IP associated with mac XX:XX:XX:XX:XX:XX)
>
> This doesn't work.
>
> I also tried to do a loop with the packets, forwarding them for the first
> time through the loopback interface (doing SNAT in POSTROUTING with iptables)
> and routing correctly for the next time they come (having passed through lo).
> I do this marking the packets coming from lo interface, and having an
> according ip rule that force them to go through the correct output interface
> (let be eth1). This way, I would want to be able to make a diferent routing
> policy for each host (because de nat'ed address is different from each other).
> The only thing I observe is a funny looping that makes packets go round my box
> until they die (TTL=0).
>
> Can someone help me, please?
> Thanks in advance, and excuse my long mail.
>
> Eduard.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* [LARTC] SNAT based on MAC before routing
2002-11-20 19:09 [LARTC] SNAT based on MAC before routing Eduard Calvo (B-teljpa) EXP JAN 03
2002-11-20 19:25 ` Ramin Alidousti
@ 2002-11-21 9:08 ` Eduard Calvo (B-teljpa) EXP JAN 03
2002-11-24 0:40 ` Filip Sneppe
2 siblings, 0 replies; 4+ messages in thread
From: Eduard Calvo (B-teljpa) EXP JAN 03 @ 2002-11-21 9:08 UTC (permalink / raw)
To: lartc
Hi Ramin,
Thanks for your answer. But this solution is not suitable to me. This would
be a good solution if the only thing I had to do is to route packets based on
MAC. The problem is that I have to SNAT before routing.
The reason is that I have to capture http traffic and redirect it through a
local Apache Server that I have in my Linux box. The server has to be able to
distinguish over hosts, and if I do SNAT in postrouting it will see the real
ip address of the packet, and not the NAT'ed address. I wonder if maybe Apache
has access to fields of the ip header (like TOS), because I would use these
fields to make Apache distinguish clients.
Another solution is to implement a local process that, for each packet
captured, NATs the source address. But I don't know in which chain of iptables
could it leave the packets...
Do you know another suitable alternative??
Please, excuse my english, it's not my native language.
Thank you in advanced.
Eduard.
Mensaje citado por Ramin Alidousti <ramin@cannon.eng.us.uu.net>:
> As far as I know you cannot do SNAT in PREROUTING.
>
> If I understand your situation correctly what you can do
> is to mark the packets like you do below and route them
> with iproute2 according to that mark and at the very
> end of the packet flow in your linux box you can SNAT based
> on the MAC:
>
> 1) When the packet arrives:
> iptables -t mangle -A PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX -j
> MARK --set-mark 1
>
> 2) Use the mark to route the packet through the right interface:
> ip rule add fwmark 1 table 7
>
> 3) SNAT the packet right before it leaves the linux box:
> iptables -t nat -A POSTROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX -j SNAT
> --to a.b.c.d
>
>
> Ramin
>
> On Wed, Nov 20, 2002 at 08:09:17PM +0100, Eduard Calvo (B-teljpa) EXP JAN 03
> wrote:
>
> >
> > Hi gurus,
> >
> > I need a way to do SNAT based on source mac before routing. This is
> because
> > hosts attached to my gateway can have duplicate IP addresses, and I have
to
>
> > distinguish over them.
> >
> > I tried to use the nat tool that comes with iproute2, but this force to
> make
> > a mapping only address to address, and I wanted to do it by mark (I also
> use
> > iptables to do that). For example, I tried to do that:
> >
> > iptables -t mangle -A PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX
-j
>
> > MARK --set-mark 1
> > ip rule add fwmark 1 nat to a.b.c.d lookup table <table>
> >
> > And so I also did:
> >
> > ip route add nat a.b.c.d via e.f.g.h
> > (where e.f.g.h. is the IP associated with mac XX:XX:XX:XX:XX:XX)
> >
> > This doesn't work.
> >
> > I also tried to do a loop with the packets, forwarding them for the
first
>
> > time through the loopback interface (doing SNAT in POSTROUTING with
> iptables)
> > and routing correctly for the next time they come (having passed through
> lo).
> > I do this marking the packets coming from lo interface, and having an
> > according ip rule that force them to go through the correct output
> interface
> > (let be eth1). This way, I would want to be able to make a diferent
routing
>
> > policy for each host (because de nat'ed address is different from each
> other).
> > The only thing I observe is a funny looping that makes packets go round my
> box
> > until they die (TTL=0).
> >
> > Can someone help me, please?
> > Thanks in advance, and excuse my long mail.
> >
> > Eduard.
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [LARTC] SNAT based on MAC before routing
2002-11-20 19:09 [LARTC] SNAT based on MAC before routing Eduard Calvo (B-teljpa) EXP JAN 03
2002-11-20 19:25 ` Ramin Alidousti
2002-11-21 9:08 ` Eduard Calvo (B-teljpa) EXP JAN 03
@ 2002-11-24 0:40 ` Filip Sneppe
2 siblings, 0 replies; 4+ messages in thread
From: Filip Sneppe @ 2002-11-24 0:40 UTC (permalink / raw)
To: lartc
On Thu, 2002-11-21 at 10:08, Eduard Calvo (B-teljpa) EXP JAN 03 wrote:
>
> Hi Ramin,
>
> Thanks for your answer. But this solution is not suitable to me. This would
> be a good solution if the only thing I had to do is to route packets based on
> MAC. The problem is that I have to SNAT before routing.
>
> The reason is that I have to capture http traffic and redirect it through a
> local Apache Server that I have in my Linux box. The server has to be able to
> distinguish over hosts, and if I do SNAT in postrouting it will see the real
> ip address of the packet, and not the NAT'ed address. I wonder if maybe Apache
> has access to fields of the ip header (like TOS), because I would use these
> fields to make Apache distinguish clients.
>
Hi Eduard,
You will never get SNAT in PREROUTING in iptables/netfilter, because it
would seriously mess up filtering and connection tracking :-)
However, you should talk to Henrik Nordström of Squid proxy fame.
Here is his homepage with contact email address on it:
http://devel.squid-cache.org/hno/
Here's the reason: for a very long time in the 2.4 series, it was
impossible to do DNAT in the OUPUT chain (was a TODO item for
the netfilter developers). Henrik had a patch he wrote that allowed
DNAT in the OUTPUT chain and SNAT in the INPUT chain. This would
allow you to solve your problem.
However, apparently the SNAT part of the patch was quite intrusive,
and IIRC had issues with conntrack/nat helpers. At 2.4.19-pre time,
the "DNAT in OUTPUT" part of the patch was aacepted by the netfilter
coreteam and merged, but the "SNAT in INPUT" part of the patch got
rejected. There was some discussion, and part of why it didn't get
merged was that there weren't enough real-world scenario's people
could come up with to convince the coreteam to accept this
(the intrusiveness of the patch probably being another major
reason :-)).
I guess Henrik, being a Squid lead developer, could see the usefulness
of this patch at the time. I think an obsolete version of the patch
is still in the netfilter patch-o-matic. It will almost certainly
not apply to 2.4.20-pre/rc/final because of the newnat merge.
Henrik's a very nice and helpful guy, so you may try emailing him
about your problem - he may offer some help or additional insight.
It would be nice to subscribe to the netfilter-devel list for your
problem and include the netfilter developers in the mailloop. The
information I am presenting you is many months old so there may
be stuff I am missing and people may have new insights into the
problem...
Regards,
Filip
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread