iptables + ebtables + snat question

iptables + ebtables + snat question

[Scott Phelps]

I have the following setup:

           LAN
            |
            |
           if0       ________
DMZ---if1     if2---|ROUTER|---INTERNET
          \   /      --------
           br0




LAN_NET = 10.0.0.1
PUBLIC_NET = 77.25.33.0/28
(14 hosts - broadcast = .15)

I am doing transparent bridging between
if1 and if2

My ROUTER ethernet iface has IP 77.25.33.1

my DMZ hosts will have public IPs ranging
77.25.33.2-14

My question is can Masquerade (SNAT) my LAN
IPs and use the ROUTER ethernet IP
as a --to-source target?

Or do I have to assign a IP to my br0 interface?
I am in deign mode so I was trying to figure out
if this is possible.

The rule would look like this:
$IPTABLES -t nat -A POSTROUTING \
-o $BR0 -j SNAT --to-source $ROUTER_IP

Can this work?

Re: iptables + ebtables + snat question

[Jan Engelhardt]

> I have the following setup:
>
> LAN
> | 
> | 
>          if0       ________
> DMZ---if1     if2---|ROUTER|---INTERNET
> \   /      --------
> br0

Your ascii art is totally broken. If you draw ascii at all, use a monospaced 
font!

> LAN_NET = 10.0.0.1
> PUBLIC_NET = 77.25.33.0/28
> (14 hosts - broadcast = .15)
>
> I am doing transparent bridging between if1 and if2
> My ROUTER ethernet iface has IP 77.25.33.1
> my DMZ hosts will have public IPs ranging 77.25.33.2-14
>
> My question is can Masquerade (SNAT) my LAN
> IPs and use the ROUTER ethernet IP
> as a --to-source target?

Yes.

> Or do I have to assign a IP to my br0 interface?

The bridge itself needs an IP if you want to SNAT to it. Otherwise this would 
happen:

PING from dmz (77.25.33.2) to google.com (216.239.37.99) via
the nexthop (e.g. 77.1.2.3).

The bridge SNATs to 77.25.33.1

The nexthop asks arp-who-has 77.25.33.1 -- no response.
If your bridge does not have an IP, you need some ebtable tricks to make an 
ARP reply.

> I am in deign mode so I was trying to figure out
> if this is possible.
>
> The rule would look like this:
> $IPTABLES -t nat -A POSTROUTING \
> -o $BR0 -j SNAT --to-source $ROUTER_IP
>
> Can this work?


Jan Engelhardt
-- 
| Alphagate Systems, http://alphagate.hopto.org/

Re: iptables + ebtables + snat question

[/dev/rob0]

On Friday 2005-August-12 17:41, Scott Phelps wrote:
> I have the following setup:
>
>            LAN
>             |
>             |
>            if0       ________
> DMZ---if1     if2---|ROUTER|---INTERNET
>           \   /      --------
>            br0

FWIW I think the ASCII drawing made perfect sense. I suspect MUA or 
perhaps MTA/MDA issues on Jan's part.

> LAN_NET = 10.0.0.1
> PUBLIC_NET = 77.25.33.0/28
> (14 hosts - broadcast = .15)

BTW I have a site which is using the broadcast IP for a host. You can 
get away with that if you aren't using anything on that subnet which 
needs broadcast. For example: DHCP, SMB. Hosts on the DMZ might answer 
pings of the broadcast IP, but that's a minor inconvenience.

> I am doing transparent bridging between
> if1 and if2
>
> My ROUTER ethernet iface has IP 77.25.33.1
>
> my DMZ hosts will have public IPs ranging
> 77.25.33.2-14
>
> My question is can Masquerade (SNAT) my LAN
> IPs and use the ROUTER ethernet IP
> as a --to-source target?

What will happen to the reply packets? If the router is doing the SNAT 
it should work fine. But if it's the machine with the bridge, no. The 
router will receive and drop those replies.

> Or do I have to assign a IP to my br0 interface?

That would work. Or have the bridge machine SNAT to 10.0.0.1, then do 
another layer of SNAT at the router. In either case the router has to 
have a route to 10.0.0.0/$NETMASK.

I take it you're feeling cramped with IP addresses in the /28. That's 
why I suggested using your broadcast IP. (I have tried setting the 
"-nobroadcast" option with ifconfig(8), but it fails.)

> I am in deign mode so I was trying to figure out
> if this is possible.

Try it out, but I think you need that IP on the bridge.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: iptables + ebtables + snat question

[Scott Phelps]

On Aug 13, 2005, at 2:23 PM, /dev/rob0 wrote:

> On Friday 2005-August-12 17:41, Scott Phelps wrote:
>
>> I have the following setup:
>>
>>            LAN
>>             |
>>             |
>>            if0       ________
>> DMZ---if1     if2---|ROUTER|---INTERNET
>>           \   /      --------
>>            br0
>>
>
> FWIW I think the ASCII drawing made perfect sense. I suspect MUA or
> perhaps MTA/MDA issues on Jan's part.

Thanks, BTW, I did use a fixed-width font.

>> Or do I have to assign a IP to my br0 interface?
>>
>
> That would work. Or have the bridge machine SNAT to 10.0.0.1

Right, Is there any reason to prefer SNATing through br0 over if2?
(I am not trying to add a ton of unnecessary complexity using ARP  
trickery)

Thanks for the help, BTW guys!

Re: iptables + ebtables + snat question

[Jan Engelhardt]

>>
>>            LAN
>>             |
>>             |
>>            if0       ________
>> DMZ---if1     if2---|ROUTER|---INTERNET
>>           \   /      --------
>>            br0
>
>FWIW I think the ASCII drawing made perfect sense. I suspect MUA or 
>perhaps MTA/MDA issues on Jan's part.

xterm and pine 4.61 - rob's ascii art looks fine, someone tinkered with the 
header of the OP?

Re: iptables + ebtables + snat question

[Grant Taylor]

Scott, do you have any control over the router?  Is the router running Linux?  The reason that I ask is that you *might* be able to do some things with it to allow you to put the internal IP of the router on your bridge box.

One really odd idea that I do have would be to sort of hijack one of the IPs of one of the boxen in your DMZ.  What I mean by this is if you have a system in your DMZ that you could ""barrow the IP from and get away with it go for it.  Let's say you have a system that is just a web server and send out traffic from 80 and 443 and that is about it.  There is no reason why you could not barrow it's IP and use ports above 30,000 for your LAN use.  You could do this by having your bridge direct any traffic that was destined to the DMZ server with a port 30,000 or higher in to the LAN and your DMZ server should be none the wizer.  You are just doing some psuedo Port Address Translation.  The idea behind this is that you would be able to safely hijack the IP of your DMZ server in cases where you knew that the traffic comming (back) in would not be destined to the real DMZ server.  If the traffi
 c destined to the DMZ server is below port 30,000 you would know to pass it on to the real
 DMZ server.

I would try to do something like the following with my bridging router:

1)  Add if0 to br0.
2)  Do something to prevent erroneous ARP replies for the borrowed DMZ IP.  This could possibly be done with EBTables or ARPTables on the if0 interface.  I'll have to do some more thinking on this one.
3)  Run this rule "ebtables -t broute -A BROUTING -m ip --ip-source-port 30000:65535 -j dnat --to-destination <mac of if0>"



Grant. . . .

Scott Phelps wrote:
> I have the following setup:
> 
>           LAN
>            |
>            |
>           if0       ________
> DMZ---if1     if2---|ROUTER|---INTERNET
>          \   /      --------
>           br0
> 
> LAN_NET = 10.0.0.1
> PUBLIC_NET = 77.25.33.0/28
> (14 hosts - broadcast = .15)
> 
> I am doing transparent bridging between
> if1 and if2
> 
> My ROUTER ethernet iface has IP 77.25.33.1
> 
> my DMZ hosts will have public IPs ranging
> 77.25.33.2-14
> 
> My question is can Masquerade (SNAT) my LAN
> IPs and use the ROUTER ethernet IP
> as a --to-source target?
> 
> Or do I have to assign a IP to my br0 interface?
> I am in deign mode so I was trying to figure out
> if this is possible.
> 
> The rule would look like this:
> $IPTABLES -t nat -A POSTROUTING \
> -o $BR0 -j SNAT --to-source $ROUTER_IP
> 
> Can this work?