Re: ARP Help (was - [LARTC] snooping - plan B)

Re: ARP Help (was - [LARTC] snooping - plan B)

[Jim Redman]

Thanks for the help from the list so far.  It's now reduced to an ARP 
problem.

host0
192.168.253.1----snoopy(eth0 192.168.253.254)

Now ping 192.168.253.2 and get snoopy to respond.  This can be done 
with netfilter (but not, apparently with ip).

iptables -A PREROUTING -t nat -p icmp -d 192.168.253.2 -j DNAT --to 
192.168.253.254
/sbin/arp -i eth0 -Ds 192.168.253.2 eth0 pub

gets you a "host unreachable" from 192.168.253.1

BUT if on host0 you:

/sbin/arp -s 192.168.253.2  HWADDR

then ping goes through.

Help from ARP experts (or others!) much appreciated.

Jim

On 2003.07.30 00:49, Martin A. Brown wrote:
> Jim,
> 
> First, let me say that I may not have caught all of your plan...but
> here
> goes....
> 
> If you really wish to modify application layer data, shouldn't you be
> looking at divert sockets [1], tun/tap usage [2], or optimally
> home-grown
> code?
> 
>  : OK, assuming this to be impossible.  Let's try the ARP approach.  I
>  : want to set up eth0 with ip 192.168.3.1 nat all packet addressed to
>  : 192.168.1.1 to 192.168.3.1 and ARP the address of 192.168.1.1 into
>  : eth0.  I still have some problems, any suggestions appreciated.
>  : Here's what I've tried (along with many variations):
> 
> Hmmmmm....  I haven't ever tried to do exactly what you seem to
> suggest
> here, but this may be an interesting approach.  If you are going to
> use
> NAT to solve your problem, you can try NATting each host into the
> other.
> 
>  : arp -i eth0 -Ds 192.168.1.1 eth0 pub
>  : ip route add nat 192.168.1.1 via 192.168.3.1
>  : ip rule add from 192.168.3.1 nat 192.168.1.1
> 
>  [ Note: I'm using the IP ranges you suggested in a prior mail. ]
> 
>   host-0                  +--------+               host-1
> 192.168.253.1 <--> eth0 <-- snoopy --> eth1 <--> 192.168.253.2
>                           +--------+
> 
> Assuming that you want host-0 to reach host-1, but only through
> snoopy,
> and you don't want to alter any network addressing on either host-0 or
> host-1:
> 
> # ip route add 192.168.253.1 dev eth0
> # ip route add 192.168.253.2 dev eth1
> # ip route add nat 192.168.253.102 via 192.168.253.2 iif eth0
> # ip rule add nat 192.168.253.102 from 192.168.253.2 iif eth1
> # ip route add nat 192.168.253.101 via 192.168.253.1 iif eth1
> # ip rule add nat 192.168.253.101 from 192.168.253.1 iif eth0
> 
> The nat route entry in the local routing table will take care of the
> ARP
> advertising for you, so any packets from host-0 addressed to
> 192.168.253.102 should end up on 192.168.253.2, but with a source
> address
> of 192.168.253.101.
> 
> So, a packet from host-0 to host-1 will look like this....
> 
>            host-0 side of      snoopy      host-1 side of
> 
>  Source: 192.168.253.1                   192.168.253.101
>    Dest: 192.168.253.102                 192.168.253.2
> 
> To me, this looks terribly convoluted and rather messy, not to mention
> that I have never tried it!  Nonetheless, I think this should work,
> provided that the nat IPs you choose are not in use anywhere else in
> your
> 192.168.253.0/24 network.
> 
>  : this alone is not sufficient, so I've tried adding routes for
>  : 192.168.1.1
>  : ip route add 192.168.1.1 dev eth0
>  : and so forth.  I haven't yet been successful and would apprciate
> any
>  : help.
> 
> Now, if I might make another recommendation....
> 
> Take a look at bridging [3].  This project has been maturing very
> nicely,
> and there have been very happy rumbles from people using the linux
> bridging code.  With the help of IP mode [4], you may get the control
> you
> desire.  Also look at the bridge + firewall documentation [5] and make
> sure to fetch the br+nf patches if you are using a 2.4 kernel [6].
> 
> Good luck,
> 
> -Martin
> 
>   [1]  http://152.45.4.41/~divert/index.shtml
>   [2]  http://vtun.sourceforge.net/tun/
>   [3]  http://bridge.sourceforge.net/
>   [4]  http://www.ssi.bg/~ja/bridging.txt
>   [5]  http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
>   [6]  http://sourceforge.net/projects/ebtables/
> 
> 
> --
> Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
> 

-- 

Jim Redman
(505) 662 5156 x85
http://www.ergotech.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: ARP Help (was - [LARTC] snooping - plan B)

[Martin A. Brown]

Jim,

I must be uncommonly dense, because I still haven't a clue what you are
trying to do.  I'll take one last stab at it, though.

 : host0
 : 192.168.253.1----snoopy(eth0 192.168.253.254)
 :
 : Now ping 192.168.253.2 and get snoopy to respond.  This can be done
 : with netfilter (but not, apparently with ip).

Accurate, as far as I know.

 : iptables -A PREROUTING -t nat -p icmp -d 192.168.253.2 -j DNAT --to 192.168.253.254

Sure.

 : /sbin/arp -i eth0 -Ds 192.168.253.2 eth0 pub
 : gets you a "host unreachable" from 192.168.253.1

Have you tried this?

  arp -s 192.168.253.2 -i eth0 -D eth0 pub

Sadly, /sbin/arp (at least on my test boxen) seems to be persnickety about
the order of arguments and options.

 : BUT if on host0 you:
 : /sbin/arp -s 192.168.253.2  HWADDR
 :
 : then ping goes through.
 : Help from ARP experts (or others!) much appreciated.

If you really wish to get your hands dirty with ARP, you can always have
ultimate control with "ip arp", a kernel + iproute2 patch.

  http://www.ssi.bg/~ja/#iparp

Bonne chance,

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/