Change source address on incoming packets

Change source address on incoming packets

[Joel Vosu]

I would need to be able to change the source address of incouming 
packets. I have 2 different subnets, but I need the server to see the 
packes from the 2nd subnet as coming from the 1st.
in iptables it would be something like:
iptables -A PREROUTING -t nat -s 2nd_subnet -j SNAT --to-source 
local_machine
but this is not possible because SNAT only works for outgoing packets in 
POSTROUTING.
Is there a way to get this to work other than adding a second router box 
for NAT?
I tried to do it like this:
Added another IP address eth0:0 to the server,
added rules:
iptables -A PREROUTING -t nat -d eth0:0_ip -p tcp --dport server-port -j 
DNAT --to-destination eth0_ip:server_port
iptables -A POSTROUTING -t nat -d eth0_ip -p tcp --dport server_port -j 
SNAT --to-source eth0:0_ip
but when I check from: iptables -L -t nat -nv then the second rule does 
not get used at all. I presume the pacet intended for local machine does 
not traverse the outgoing part of the nat table.


Sincerely,
Joel

Re: Change source address on incoming packets

[Antony Stone]

On Sunday 09 May 2004 10:50 pm, Joel Vosu wrote:

> I would need to be able to change the source address of incouming
> packets. I have 2 different subnets, but I need the server to see the
> packes from the 2nd subnet as coming from the 1st.
> in iptables it would be something like:
> iptables -A PREROUTING -t nat -s 2nd_subnet -j SNAT --to-source
> local_machine
> but this is not possible because SNAT only works for outgoing packets in
> POSTROUTING.
> Is there a way to get this to work other than adding a second router box
> for NAT?

The only way I can think you'd be able to do this on one box is by hacking 
around the source for netfilter so you can use SNAT in PREROUTING.   You'd 
need to be careful about the auto-reverse NAT for reply packets, as well, to 
make sure they go back to the original machine.

Not impossible, by any means, but it's almost certainly easier to dig up an 
old 486 or Pentium and run NAT on that.

Regards,

Antony.

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Change source address on incoming packets

[Joel Vosu]

Antony Stone wrote:

>On Sunday 09 May 2004 10:50 pm, Joel Vosu wrote:
>
>  
>
>>I would need to be able to change the source address of incouming
>>packets. I have 2 different subnets, but I need the server to see the
>>packes from the 2nd subnet as coming from the 1st.
>>in iptables it would be something like:
>>iptables -A PREROUTING -t nat -s 2nd_subnet -j SNAT --to-source
>>local_machine
>>but this is not possible because SNAT only works for outgoing packets in
>>POSTROUTING.
>>Is there a way to get this to work other than adding a second router box
>>for NAT?
>>    
>>
>
>The only way I can think you'd be able to do this on one box is by hacking 
>around the source for netfilter so you can use SNAT in PREROUTING.   You'd 
>need to be careful about the auto-reverse NAT for reply packets, as well, to 
>make sure they go back to the original machine.
>
>Not impossible, by any means, but it's almost certainly easier to dig up an 
>old 486 or Pentium and run NAT on that.
>
>Regards,
>
>Antony.
>
>  
>
Thanks Antony,
But since I'm not that good at hacking source I hope I'll still find an 
easyer solution. As for the 486 or pentium part... if I cant find 
anything by tomorrow morning I'll have to use that. Right now I'm 
checking proxy applications if they can do what is required.

Joel

Re: Change source address on incoming packets

[John A. Sullivan III]

On Sun, 2004-05-09 at 17:50, Joel Vosu wrote:
> I would need to be able to change the source address of incouming 
> packets. I have 2 different subnets, but I need the server to see the 
> packes from the 2nd subnet as coming from the 1st.
> in iptables it would be something like:
> iptables -A PREROUTING -t nat -s 2nd_subnet -j SNAT --to-source 
> local_machine
> but this is not possible because SNAT only works for outgoing packets in 
> POSTROUTING.
> Is there a way to get this to work other than adding a second router box 
> for NAT?
> I tried to do it like this:
> Added another IP address eth0:0 to the server,
> added rules:
> iptables -A PREROUTING -t nat -d eth0:0_ip -p tcp --dport server-port -j 
> DNAT --to-destination eth0_ip:server_port
> iptables -A POSTROUTING -t nat -d eth0_ip -p tcp --dport server_port -j 
> SNAT --to-source eth0:0_ip
> but when I check from: iptables -L -t nat -nv then the second rule does 
> not get used at all. I presume the pacet intended for local machine does 
> not traverse the outgoing part of the nat table.
<snip>
I haven't tried or fully thought through any of these but here are a few
of the thoughts which came to my mind.

You may see the local packets in the POSTROUTING chain but on interface
lo instead of eth0.

If that doesn't work, I wonder if you can use iproute2.  It can do
stateless NAT independent of iptables (i.e., the reply packets will know
nothing of the original NAT and will need to have rules applied to them,
too).  I believe that will alter the packet after it leaves the
PREROUTING chain of the nat table. I'm not sure which address the filter
table will see.

You may also be able to do it with an iproute2 routing rule.  They can
be used to tell the server which ip to use for the source.  I haven't
looked at the details of doing this in a while so I do not recall if it
will do what you want off the top of my head.

In a recent RedHat distribution, you can find the iproute2 documentation
in /usr/share/doc/iproute-2.4.7/ip-cref.ps.  There is also a slide show
about using it in the training section on http://iscs.sourceforge.net.

Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: Change source address on incoming packets

[Joel Vosu]

Thanks for your answes, I got it working with pyproxy-1.6
http://freshmeat.net/projects/pyproxy/
it neatly changed the source address of all the packets and then 
forwarded them to the correct port.

Thanks again

Sincerely,

Joel Vosu
John A. Sullivan III wrote:

>On Sun, 2004-05-09 at 17:50, Joel Vosu wrote:
>  
>
>>I would need to be able to change the source address of incouming 
>>packets. I have 2 different subnets, but I need the server to see the 
>>packes from the 2nd subnet as coming from the 1st.
>>in iptables it would be something like:
>>iptables -A PREROUTING -t nat -s 2nd_subnet -j SNAT --to-source 
>>local_machine
>>but this is not possible because SNAT only works for outgoing packets in 
>>POSTROUTING.
>>Is there a way to get this to work other than adding a second router box 
>>for NAT?
>>I tried to do it like this:
>>Added another IP address eth0:0 to the server,
>>added rules:
>>iptables -A PREROUTING -t nat -d eth0:0_ip -p tcp --dport server-port -j 
>>DNAT --to-destination eth0_ip:server_port
>>iptables -A POSTROUTING -t nat -d eth0_ip -p tcp --dport server_port -j 
>>SNAT --to-source eth0:0_ip
>>but when I check from: iptables -L -t nat -nv then the second rule does 
>>not get used at all. I presume the pacet intended for local machine does 
>>not traverse the outgoing part of the nat table.
>>    
>>
><snip>
>I haven't tried or fully thought through any of these but here are a few
>of the thoughts which came to my mind.
>
>You may see the local packets in the POSTROUTING chain but on interface
>lo instead of eth0.
>
>If that doesn't work, I wonder if you can use iproute2.  It can do
>stateless NAT independent of iptables (i.e., the reply packets will know
>nothing of the original NAT and will need to have rules applied to them,
>too).  I believe that will alter the packet after it leaves the
>PREROUTING chain of the nat table. I'm not sure which address the filter
>table will see.
>
>You may also be able to do it with an iproute2 routing rule.  They can
>be used to tell the server which ip to use for the source.  I haven't
>looked at the details of doing this in a while so I do not recall if it
>will do what you want off the top of my head.
>
>In a recent RedHat distribution, you can find the iproute2 documentation
>in /usr/share/doc/iproute-2.4.7/ip-cref.ps.  There is also a slide show
>about using it in the training section on http://iscs.sourceforge.net.
>
>Good luck - John
>  
>