[LARTC] same address range, different interfaces

[LARTC] same address range, different interfaces

[Ira Abramov]

Hello people,

I have a router machine, kernel 2.4.20 with 4 physical interfaces (but
many more virtual ones over differel VLANs). we need to NAT/route
between hosts on different VLANs, but with the same address, for
instance, 10.0.0.2 reachable via eth0.2 needs to talk to 10.0.0.2 which
is on eth0.3.

clearly if they were of different subnets this poses no problem, but I
want to create an iproute2-based setup where they each know each other
by a different address, as set on the router, for instance one could
access the other at 10.1.1.2 and the other will access the first one at
10.1.2.2.

in other words:

 Host A[]--------[Router]------[]Host B

A and B's address is the same,
each knows the other at addresses A' and B' as NATed by the router. This
solution should be possible with iproute2 logicly, but I have exhausted
Google and this list's archives trying to find a documentation for this.

just addring rule and route to each as the FAQs simply list (for static
NAT) does not give expected results. I'll forward here any outputs you
may be interested in, let me know how I can help you help me.

our final goal is to be able to do a proof f concept of this with N
physical interfaces and M VLANs on each, and see what the limits and
overheads do.

thanks in advance,
Ira

-- 
On orange alert
Ira Abramov
http://ira.abramov.org/email/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] same address range, different interfaces

[Ira Abramov]

Quoting Ira Abramov, from the post of Wed, 19 Nov:
> I have a router machine, kernel 2.4.20 with 4 physical interfaces (but
> many more virtual ones over differel VLANs). we need to NAT/route
> between hosts on different VLANs, but with the same address, for
> instance, 10.0.0.2 reachable via eth0.2 needs to talk to 10.0.0.2 which
> is on eth0.3.

I'll simplify it further.

What I need is a mechanism that translates the source BEFORE routing and
then the destination AFTER routing. is that possible with iproute2 or do I
need to resort to netfilter?

-- 
All rights reserved
Ira Abramov
http://ira.abramov.org/email/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] same address range, different interfaces

[Ira Abramov]

Quoting David Ruggles, from the post of Wed, 19 Nov:
> (Someone with more knowledge tell me if I'm wrong)

well, I'm no veteran either, but the man page said one can only do DNAT
in OUTPUT and PREROUTING while SNAT works only on POSTROUTING which is
the other way around from what I need...

> As far as I know the only way to modify packet addresses is to use the
> PREROUTING and POSTROUTING chains in the nat table.
> 
> An example might be
> 
> Machine A ip 10.0.0.2 ----> Gateway ip 10.0.0.1 eth0 <-> Gateway ip 10.0.0.3
> eth1 ----> Machine B ip 10.0.0.2
> 
> On Gateway issue following:
> 
> iptables -t nat -A PREROUTING -i eth0 -d 10.0.0.1 -j DNAT --to-destination
> 10.0.0.2
> iptables -t nat -A POSTROUTING -o eth1 -d 10.0.0.2 -j SNAT --to-source
> 10.0.0.1
> 
> I'm not sure this will work though because how will the gateway know to send
> 10.0.0.2 out eth1 and not back out eth0?

my problem precisely...

-- 
A little something for the ladies
Ira Abramov
http://ira.abramov.org/email/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] same address range, different interfaces

[Ira Abramov]

Hey there, I wish people threw in more ideas...

what I tried now is this: my problem is that I need to route the packet
on the way out according to the original destination, but the only place
it will NAT the destination is before routing, so what I did waqs mark
packets with the netfilter MARK target and then have iproute2's code
select the routing table based on the fwmark. it's covoluted but should
work in theory:

1) MARK the incoming packet in table mangle on chain PREROUTING and
   OUTPUT
2) add a rule to the RPDB to map the NATsource based on the source and
   iface it came by, and then it goes to table main be default
   (problem! it should be a map based on the destination!)
3) open a new table (same ID as the MARK for conveniance) and add NAT to
   destination back to its real address (thus losing the original
   target, all I have left is the MARK to route with)
4) packet goes back to traverse the RPDB, where I catch it with another,
   lower priority rule than (2) based on the fwmark, sending it to the
   table I opened in (3) where I have a route to the right interface for
   the real address.

now this would work in theory if I could do (2) as NAT and then traverse
the RPDB again without sending it to a specific lookup table, is this
making sense? or can I send it to the local table and it will traverse
the rest of the RPDB when it gives up? am I missing another way of doing
this without a routing table per interface?

Any and all help is appreciated in advance,
Thanks,
Ira.



-- 
The little prince
Ira Abramov
http://ira.abramov.org/email/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/