Network routing issue

Network routing issue

[Luesley, William]

I have two devices setup as follows:


          A --------------- B
192.168.1.1                 192.168.1.2


The machines open a number of TCP and UDP ports with which to communicate.
In order to help testing, I have been asked to place a third machine between
these two which will be capable of intercepting and modifying any messages.
My initial plan was to have a device which could mimic both ends of the
connection (as I already have code to do this); with each connection being
on a separate NIC, leading to a setup as shown below:

          A ------------ C  C  ---------- B
192.168.1.1    192.168.1.2  192.168.1.1   192.168.1.2
                    (eth0)  (eth1)

The obvious problem with this is that as C implements both ends of the
interface, any messages it sends are routed internally, rather than being
sent to the correct host.

I thought it would be possible to correct this by specifying the host routes
using the route command, i.e. setting a route to 192.168.1.1 via device eth0
and to 192.168.1.2 via eth1, therefore stopping the internal routing from
occurring. Even with these routes setup, the messages are still routed
internally.



Can the route somehow be forced?

If not, is there a way to stop the internal routing, preferably without a
code change to the kernel (if it is a code change - can someone point me
towards the file)?

Can I use IP Tables, how?

Or, am I on totally the wrong track?


Thanks for peoples time spent reading and looking into this.







********************************************************************
This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender.
You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.
********************************************************************

Re: Network routing issue

[Paul Jakma]

On Tue, 10 Aug 2004, Luesley, William wrote:

> In order to help testing, I have been asked to place a third machine between
> these two which will be capable of intercepting and modifying any messages.

> My initial plan was to have a device which could mimic both ends of the
> connection (as I already have code to do this); with each connection being
> on a separate NIC, leading to a setup as shown below:
>
>          A ------------ C  C  ---------- B
> 192.168.1.1    192.168.1.2  192.168.1.1   192.168.1.2
>                    (eth0)  (eth1)

> Can I use IP Tables, how?
>
> Or, am I on totally the wrong track?

You're on the wrong track. C doesnt even need IP addresses, two 
choices:

- C as bridge and use ebtables (C doesnt even need addresses 
theoretically)

- C as router, use iptables. C needs one or more addresses which must 
be different.

regards,
-- 
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
Fortune:
Violence is a sword that has no handle -- you have to hold the blade.

Re: Network routing issue

[Richard B. Johnson]

On Tue, 10 Aug 2004, Luesley, William wrote:

>
> I have two devices setup as follows:
>
>
>           A --------------- B
> 192.168.1.1                 192.168.1.2
>
>
> The machines open a number of TCP and UDP ports with which to communicate.
> In order to help testing, I have been asked to place a third machine between
> these two which will be capable of intercepting and modifying any messages.
> My initial plan was to have a device which could mimic both ends of the
> connection (as I already have code to do this); with each connection being
> on a separate NIC, leading to a setup as shown below:
>
>           A ------------ C  C  ---------- B
> 192.168.1.1    192.168.1.2  192.168.1.1   192.168.1.2
>                     (eth0)  (eth1)
>
> The obvious problem with this is that as C implements both ends of the
> interface, any messages it sends are routed internally, rather than being
> sent to the correct host.
>
> I thought it would be possible to correct this by specifying the host routes
> using the route command, i.e. setting a route to 192.168.1.1 via device eth0
> and to 192.168.1.2 via eth1, therefore stopping the internal routing from
> occurring. Even with these routes setup, the messages are still routed
> internally.
>
>
>
> Can the route somehow be forced?
>
> If not, is there a way to stop the internal routing, preferably without a
> code change to the kernel (if it is a code change - can someone point me
> towards the file)?
>
> Can I use IP Tables, how?
>
> Or, am I on totally the wrong track?
>
>
> Thanks for peoples time spent reading and looking into this.
>
>
>
>
>

`ifconfig lo down` should force your stuff to go through the
ethernet for testing.

Cheers,
Dick Johnson
Penguin : Linux version 2.4.26 on an i686 machine (5570.56 BogoMips).
            Note 96.31% of all statistics are fiction.

RE: Network routing issue

[Luesley, William]

> `ifconfig lo down` should force your stuff to go through the
> ethernet for testing.

Thanks for the reply but I'm looking for a more 'permanent' solution.
Knocking out the loopback device has a number of consequences that kill my
program (and KDE!).


Will

********************************************************************
This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender.
You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.
********************************************************************

RE: Network routing issue

[Luesley, William]

>> In order to help testing, I have been asked to place a third machine
between
>> these two which will be capable of intercepting and modifying any
messages.

>> My initial plan was to have a device which could mimic both ends of the
>> connection (as I already have code to do this); with each connection
being
>> on a separate NIC, leading to a setup as shown below:
>>
>>          A ------------ C  C  ---------- B
>> 192.168.1.1    192.168.1.2  192.168.1.1   192.168.1.2
>>                    (eth0)  (eth1)

>> Can I use IP Tables, how?
>>
>> Or, am I on totally the wrong track?

>You're on the wrong track. C doesnt even need IP addresses, two 
>choices:

>- C as bridge and use ebtables (C doesnt even need addresses 
>theoretically)

>- C as router, use iptables. C needs one or more addresses which must 
>be different.

My problem is I need to modify the messages before passing them on.  As far
as I'm aware, bridges don't do that - but then I'm a newbie when it comes to
bridging!

********************************************************************
This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender.
You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.
********************************************************************

Re: Network routing issue

[David Greaves]

>>You're on the wrong track. C doesnt even need IP addresses, two 
>>choices:
>>    
>>
>>- C as bridge and use ebtables (C doesnt even need addresses 
>>theoretically)
>>    
>>
>>- C as router, use iptables. C needs one or more addresses which must 
>>be different.
>>    
>>
>My problem is I need to modify the messages before passing them on.  As far
>as I'm aware, bridges don't do that - but then I'm a newbie when it comes to
>bridging!
>  
>
http://www.spinics.net/lists/netfilter/msg13455.html

http://ebtables.sourceforge.net/documentation.html

I don't know if it will do what you want 'out of the box'

if not then the sensible thing to do would be to route and setup:

          A ------------ C  C  ---------- B
192.168.1.1    192.168.1.2  192.168.2.1   192.168.2.2

and use iptables to do user space packet filtering.

http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-4.html#ss4.7
http://www.lowth.com/howto/iptables-treasures.php

I saw that ebtables can use iptables modules (with some hacking)

David

RE: Network routing issue

[Paul Jakma]

On Tue, 10 Aug 2004, Luesley, William wrote:

> My problem is I need to modify the messages before passing them on. 
> As far as I'm aware, bridges don't do that - but then I'm a newbie 
> when it comes to bridging!

Well, I'm not sure what ebtables can do.

If you can modify the routes on A and B (ie route A via C on B, B via 
C on A), then you can use iptables to modify the packet in various 
ways, or even DNAT to redirect the packets to a local port.

regards,
-- 
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
Fortune:
Si jeunesse savait, si vieillesse pouvait.
 	[If youth but knew, if old age but could.]
 		-- Henri Estienne