All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Eduard Calvo (B-teljpa) EXP JAN 03" <ecalvo@mat.upc.es>
To: lartc@vger.kernel.org
Subject: [LARTC] SNAT based on MAC before routing
Date: Thu, 21 Nov 2002 09:08:59 +0000	[thread overview]
Message-ID: <marc-lartc-103786982304298@msgid-missing> (raw)
In-Reply-To: <marc-lartc-103781938125714@msgid-missing>

 
  Hi Ramin, 
 
  Thanks for your answer. But this solution is not suitable to me. This would 
be a good solution if the only thing I had to do is to route packets based on 
MAC. The problem is that I have to SNAT before routing.  
 
  The reason is that I have to capture http traffic and redirect it through a 
local Apache Server that I have in my Linux box. The server has to be able to 
distinguish over hosts, and if I do SNAT in postrouting it will see the real 
ip address of the packet, and not the NAT'ed address. I wonder if maybe Apache 
has access to fields of the ip header (like TOS), because I would use these 
fields to make Apache distinguish clients. 
 
  Another solution is to implement a local process that, for each packet 
captured, NATs the source address. But I don't know in which chain of iptables 
could it leave the packets... 
 
  Do you know another suitable alternative??  
 
  Please, excuse my english, it's not my native language.  
  Thank you in advanced. 
 
                                        Eduard. 
  
Mensaje citado por Ramin Alidousti <ramin@cannon.eng.us.uu.net>: 
 
> As far as I know you cannot do SNAT in PREROUTING. 
>  
> If I understand your situation correctly what you can do 
> is to mark the packets like you do below and route them 
> with iproute2 according to that mark and at the very 
> end of the packet flow in your linux box you can SNAT based 
> on the MAC: 
>  
> 1) When the packet arrives: 
> iptables -t mangle -A PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX -j 
> MARK --set-mark 1 
>  
> 2) Use the mark to route the packet through the right interface: 
> ip rule add  fwmark 1 table 7 
>  
> 3) SNAT the packet right before it leaves the linux box: 
> iptables -t nat -A POSTROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX -j SNAT 
> --to a.b.c.d 
>  
>  
> Ramin 
>  
> On Wed, Nov 20, 2002 at 08:09:17PM +0100, Eduard Calvo (B-teljpa) EXP JAN 03 
> wrote: 
>  
> >   
> >   Hi gurus,  
> >   
> >   I need a way to do SNAT based on source mac before routing. This is 
> because  
> > hosts attached to my gateway can have duplicate IP addresses, and I have 
to 
>  
> > distinguish over them.   
> >   
> >   I tried to use the nat tool that comes with iproute2, but this force to 
> make  
> > a mapping only address to address, and I wanted to do it by mark (I also 
> use  
> > iptables to do that). For example, I tried to do that:  
> >    
> >   iptables -t mangle -A PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX 
-j 
>  
> > MARK --set-mark 1  
> >   ip rule add fwmark 1 nat to a.b.c.d lookup table <table>  
> >   
> >   And so I also did:  
> >   
> >   ip route add nat a.b.c.d via e.f.g.h  
> >   (where e.f.g.h. is the IP associated with mac XX:XX:XX:XX:XX:XX)  
> >   
> >   This doesn't work.  
> >   
> >   I also tried to do a loop with the packets, forwarding them for the 
first 
>  
> > time through the loopback interface (doing SNAT in POSTROUTING with 
> iptables)  
> > and routing correctly for the next time they come (having passed through 
> lo).  
> > I do this marking the packets coming from lo interface, and having an  
> > according ip rule that force them to go through the correct output 
> interface  
> > (let be eth1). This way, I would want to be able to make a diferent 
routing 
>  
> > policy for each host (because de nat'ed address is different from each 
> other).  
> > The only thing I observe is a funny looping that makes packets go round my 
> box  
> > until they die (TTL=0).  
> >   
> >   Can someone help me, please?  
> >   Thanks in advance, and excuse my long mail.  
> >   
> >                                                Eduard.  
> _______________________________________________ 
> LARTC mailing list / LARTC@mailman.ds9a.nl 
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ 
>  
 
 

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

  parent reply	other threads:[~2002-11-21  9:08 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-11-20 19:09 [LARTC] SNAT based on MAC before routing Eduard Calvo (B-teljpa) EXP JAN 03
2002-11-20 19:25 ` Ramin Alidousti
2002-11-21  9:08 ` Eduard Calvo (B-teljpa) EXP JAN 03 [this message]
2002-11-24  0:40 ` Filip Sneppe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=marc-lartc-103786982304298@msgid-missing \
    --to=ecalvo@mat.upc.es \
    --cc=lartc@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.