[LARTC] Routing / masqerading advice needed.

[LARTC] Routing / masqerading advice needed.

[G. Georgiev]

        Hello,

        Have a non-standard routing / masquerading issue to which I still can
not imagine a solution.

        The problem: I need to create several encrypted links to a remote
side - VPN.GALILEO.COM from a single linux machine - a gateway for a new
branch office. The problem comes from the fact that for every link the remote
side assigns me a different address. This way I end up having several
 local interfaces (ppp0,ppp1...) with different addresses that communicate
to the same addres on the other end.

        However, the package (Focalpoint emulator) that I run in several
copies on the SAME computer behind the firewall  has to communicate with the
'SERVER' on the other end every copy via one and only one of those channels,
determined by the login name/address assigned when I create the channel, else
packets are discarded. The emulator uses one port to communicate to the
server, all emulators executing connect() to the same remote port, and of
cource getting an ephemerial port after the connection is accept() ed.

    emulator 1 \          /-gw/ppp0 --encrypted ----\
    emulator 2 -my net--gw/ppp1 -------------------- other end ---- SERVER
    emulator x /         \- gw/ppp* -------------------/


        So, I need to masquerade packets via those interfaces at my gw - no
problem, but how to route them if all they have same destination address, but
packets originating from different copies of the same application should use
different channels?

	If there is a possibility to change the packet DESTINATION address AFTER 
routng is done this may do the job - I will configure my emulators to contact 
the near end of the ppp channel - all they have different addresses, and just 
before delivering packet to the ppp link change the address for the 'SERVER' 
one.

	Another way is somehow to distingish between different copies of the emulator 
and to make different routing tables for them - but not clear how.

        In general, I have to make my gateway lie the other end that every
copy of the emulator runs on a different computer. How?

        Any ideas appreciated, George.


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing / masqerading advice needed.

[Martin A. Brown]

George,

I'm not certain I understand your problem completely, but I have a
suggestion.

vmfe=virtual machine focalpoint emulator

You have:

  - client machine (vmfe0, vmfe1, vmfe2, ...vmfeN)
  - gateway machine (ppp0, ppp1, ppp2, ...pppN)
  - server machine

Your requirements, if I understand correctly, are:

  - server machine receive TCP connections from client vmfe0 initiated
    from ppp0-IP
  - gateway needs to be able to distinguish traffic between different
    sessions, and masquerade to correct channel (the pppN links)

If so, why not allocate extra addresses on the client machine.  Let's say
that the client machine (running the emulators) is on 192.168.0.10/24.

# ip addr add 192.168.0.11/32 dev eth0
# ip addr add 192.168.0.12/32 dev eth0
# ip addr add 192.168.0.13/32 dev eth0

Now, force vmfe0 to bind to 192.168.0.10; force vmfe1 to bind to
192.168.0.11, and so forth.

Now, on gw:

# iptables -t nat -A POSTROUTING -d $SERVER -s $VMFE0 \
>   -j SNAT --to-source $PPP0_IP
# iptables -t nat -A POSTROUTING -d $SERVER -s $VMFE1 \
>   -j SNAT --to-source $PPP1_IP

Maybe this isn't a complete solution, but what do you think?  Would this
solve your problem?

-Martin

 :         Hello,
 :
 :         Have a non-standard routing / masquerading issue to which I
 : still can not imagine a solution.
 :
 :         The problem: I need to create several encrypted links to a
 : remote side - VPN.GALILEO.COM from a single linux machine - a gateway
 : for a new branch office. The problem comes from the fact that for every
 : link the remote side assigns me a different address. This way I end up
 : having several local interfaces (ppp0,ppp1...) with different addresses
 : that communicate to the same addres on the other end.
 :
 :         However, the package (Focalpoint emulator) that I run in
 : several copies on the SAME computer behind the firewall has to
 : communicate with the 'SERVER' on the other end every copy via one and
 : only one of those channels, determined by the login name/address
 : assigned when I create the channel, else packets are discarded. The
 : emulator uses one port to communicate to the server, all emulators
 : executing connect() to the same remote port, and of cource getting an
 : ephemerial port after the connection is accept() ed.
 :
 :     emulator 1 \          /-gw/ppp0 --encrypted ----\
 :     emulator 2 -my net--gw/ppp1 -------------------- other end ---- SERVER
 :     emulator x /         \- gw/ppp* -------------------/
 :
 :
 :         So, I need to masquerade packets via those interfaces at my gw
 : - no problem, but how to route them if all they have same destination
 : address, but packets originating from different copies of the same
 : application should use different channels?
 :
 : 	If there is a possibility to change the packet DESTINATION address
 : AFTER routng is done this may do the job - I will configure my
 : emulators to contact the near end of the ppp channel - all they have
 : different addresses, and just before delivering packet to the ppp link
 : change the address for the 'SERVER' one.
 :
 : 	Another way is somehow to distingish between different copies of
 : the emulator and to make different routing tables for them - but not
 : clear how.
 :
 :         In general, I have to make my gateway lie the other end that
 : every copy of the emulator runs on a different computer. How?

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/