[LARTC] Masquerading as a certain IP

[LARTC] Masquerading as a certain IP

[Joel]

Hi all,
I was just wondering if there's any way to specify what something is
masqueraded AS. Usually it ends up that packets are rewritten with the
primary address of the interface that the data goes out of, but is there any
way to have them rewritten with the IP of an aliased interface, or the IP of
another network card?

Thanks,
Joel

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Masquerading as a certain IP

[Deepak singhal]

Hi joel ,

The ip is not masqueraded as the primary address of the interface but it get
masqueraded as ip to which the gateway of the machine is specified i.e. to
the ip/nic from which it leaves the machine .

And yes I would also like to know if its possible to specify to what ip it
gets masqueraded as i also wanted to do the same for some application
scenario.

Regards

Deepak
----- Original Message -----
From: <Joel@airnet.com.au>
To: <lartc@mailman.ds9a.nl>
Sent: Thursday, April 05, 2001 6:59 AM
Subject: [LARTC] Masquerading as a certain IP


> Hi all,
> I was just wondering if there's any way to specify what something is
> masqueraded AS. Usually it ends up that packets are rewritten with the
> primary address of the interface that the data goes out of, but is there
any
> way to have them rewritten with the IP of an aliased interface, or the IP
of
> another network card?
>
> Thanks,
> Joel
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
http://ds9a.nl/2.4Routing/
>


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Masquerading as a certain IP

[Guy Van Den Bergh]

If you want to specify the address to use, you have to do source NAT (or 
SNAT). With a 2.4.x kernel and iptables you can do this, I am not sure
whether real NAT is possible with 2.2.x kernels and ipchains.

In fact masquerading is a special case of source NAT, where you do not 
have to specify the IP address to use, but where automatically the 
address of the outgoing interface is used.

With iptables, you have to use the SNAT target instead of the MASQUERADE 
target. You can read the iptables HOWTO or the iptables man page for 
more information.

Guy

Deepak singhal wrote:

> Hi joel ,
> 
> The ip is not masqueraded as the primary address of the interface but it get
> masqueraded as ip to which the gateway of the machine is specified i.e. to
> the ip/nic from which it leaves the machine .
> 
> And yes I would also like to know if its possible to specify to what ip it
> gets masqueraded as i also wanted to do the same for some application
> scenario.
> 
> Regards
> 
> Deepak
> ----- Original Message -----
> From: <Joel@airnet.com.au>
> To: <lartc@mailman.ds9a.nl>
> Sent: Thursday, April 05, 2001 6:59 AM
> Subject: [LARTC] Masquerading as a certain IP
> 
> 
> 
>> Hi all,
>> I was just wondering if there's any way to specify what something is
>> masqueraded AS. Usually it ends up that packets are rewritten with the
>> primary address of the interface that the data goes out of, but is there
> 
> any
> 
>> way to have them rewritten with the IP of an aliased interface, or the IP
> 
> of
> 
>> another network card?
>> 
>> Thanks,
>> Joel
>> 
>> _______________________________________________
>> LARTC mailing list / LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO:
> 
> http://ds9a.nl/2.4Routing/
> 
> 
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Masquerading as a certain IP

[worm]

Hi,

> I was just wondering if there's any way to specify what something is
> masqueraded AS.

Yes, it is described in the ip-cref documenation which is distributed with the
ip program. As far as I remeber it is done by setting up special NAT rules
which NATs to the local address that you want to use for masqgrading.


Christian

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Masquerading as a certain IP

[Mike Fedyk]

On Thu, Apr 05, 2001 at 02:23:12PM -0000, worm@dkik.dk wrote:
> Hi,
> 
> > I was just wondering if there's any way to specify what something is
> > masqueraded AS.
> 
> Yes, it is described in the ip-cref documentation which is distributed with the
> ip program. As far as I remember it is done by setting up special NAT rules
> which NATs to the local address that you want to use for masqgrading.

Ahh, but this is not MASQ, which deals with multiple MASQed hosts on the
local lan.

You would have to be more specific on how you want to distribute the
traffic.  Here's an example:

src lan dest port 80 mark 1 on incoming chain

mark 1 use table 5

ip ro add default  via gw src ip table 5

<repeat>

this would put outgoing traffic on the ip you specify.  Note that this won't
work on traffic generated by the gateway computer.

Also, this is untested, YMMV.

Mike

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Masquerading as a certain IP

[Christian Worm Mortensen]

Hi,

> > > I was just wondering if there's any way to specify what something is
> > > masqueraded AS.
> > 
> > Yes, it is described in the ip-cref documentation which is distributed with the
> > ip program. As far as I remember it is done by setting up special NAT rules
> > which NATs to the local address that you want to use for masqgrading.
> 
> Ahh, but this is not MASQ, which deals with multiple MASQed hosts on the
> local lan.

Yes, but can be set up with nat rules according to ip-cref. And this is quite intuitive: If  you nat the source of a packet to your own address it seems reasonable to masqgrade it.


Christian


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Masquerading as a certain IP

[bill]

On Fri, 6 Apr 2001, Mike Fedyk wrote:

> On Thu, Apr 05, 2001 at 02:23:12PM -0000, worm@dkik.dk wrote:
> > Hi,
> >
> > > I was just wondering if there's any way to specify what something is
> > > masqueraded AS.
> >
> > Yes, it is described in the ip-cref documentation which is distributed with the
> > ip program. As far as I remember it is done by setting up special NAT rules
> > which NATs to the local address that you want to use for masqgrading.
>
> Ahh, but this is not MASQ, which deals with multiple MASQed hosts on the
> local lan.
>
> You would have to be more specific on how you want to distribute the
> traffic.  Here's an example:
>
> src lan dest port 80 mark 1 on incoming chain
>
> mark 1 use table 5
>
> ip ro add default  via gw src ip table 5
>
> <repeat>
>
> this would put outgoing traffic on the ip you specify.  Note that this won't
> work on traffic generated by the gateway computer.
>
> Also, this is untested, YMMV.

FWIW, we have it set up this way and it works as you say. we use the
firewall marks and iproute2 tables to send some traffic out a 192k dsl
connection for recreational use and some traffic out a t1 for work-related
use. the traffic is routed based on source ip address, and all ips to be
masq'd are on the same 192.168/24 network.

a single, simple masquerade rule in iptables picks the right source
address based on whichever gateway is used. i don't notice and loss in
throughput on either connection.

there are the commands that we use:

ip rule add fwmark 5 lookup dsl_out
ip route add default via $DSL_OUT_GW table dsl_out
ip route flush cache

for i in 52 55 101 102 103 104 (etc...); do
 # workstations using the 192k DSL
 iptables -t mangle -A PREROUTING \
          -s 192.168.5.${i}/24 -d ! $REAL_NET  \
          -j mark --set-mark 5
done
# all others use T1 (which is the default gw)

iptables -t nat -A POSTROUTING \
         -s 192.168.5.0/24 -d ! $REAL_NET \
         -j MASQUERADE

where $REAL_NET is our assigned routable ip block

hope this helps...



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/