Two identical ips connected

Two identical ips connected

[Julian Hagenauer]

Hi,
is it possible somehow possible to attach two computers with the same ip
to a router, and let the router rewrite/masquerade the ip of one of
those computers with iptables, so that both could be accessed with different ips?

Can you give my some hints how this could be achieved? 

thanks,
Julian

Re: Two identical ips connected

[Rob Sterenborg]

On Mon, October 16, 2006 09:55, Julian Hagenauer wrote:
> Hi,
> is it possible somehow possible to attach two computers with the same ip to a
> router, and let the router rewrite/masquerade the ip of one of those computers
> with iptables, so that both could be accessed with different ips?

I don't think you can.

> Can you give my some hints how this could be achieved?

If you packet would make it to the router and the router had this configuration:
- eth0: 192.168.1.0/24
- eth1: 192.168.1.0/24
the router cannot distinguish the subnets.

But you'd not even get that far.
When you send a packet from a client to the server and this server has same IP
as the client (thus src and dst IP are the same), then the packet wouldn't
even make it to the router: it would be sent to itself.


Grts,
Rob

Re: Two identical ips connected

[Julian Hagenauer]

Hi

> If you packet would make it to the router and the router had this configuration:
> - eth0: 192.168.1.0/24
> - eth1: 192.168.1.0/24
> the router cannot distinguish the subnets.
> 

Why so complicated.
eth0: 192.168.1.4
eth1: 192.168.1.4

(Hostbased routing) would be enough. Sure the router can not distinguish between the IPs, but he could distinguish between the MACs, so would it be possible to do Masquerading based on MAC-Adresses?

> But you'd not even get that far.
> When you send a packet from a client to the server and this server has same IP
> as the client (thus src and dst IP are the same), then the packet wouldn't
> even make it to the router: it would be sent to itself.

Mhm, i don't understand that. Let me explain my setup in greater detail:

	Server1---------|
			|
			|
			|
	Server2-------Router-------Client
			|
			|
			DB

I want that Server 1 and Server2 have the same IP, although only Server1 should be accessible for clients.
The reason for that is, that i want do some kind of load-balancing.
The problem is, that both Servers need permanent access to the db, so the router should somehow translate/masquerade the ip of the server2, so that both servers can access the db at the same time.

I know it sound weird :-)

Sincerely,
Julian

Re: Two identical ips connected

[Gáspár Lajos]

Julian Hagenauer írta:
> Hi
>
>   
>> If you packet would make it to the router and the router had this configuration:
>> - eth0: 192.168.1.0/24
>> - eth1: 192.168.1.0/24
>> the router cannot distinguish the subnets.
>>
>>     
>
> Why so complicated.
> eth0: 192.168.1.4
> eth1: 192.168.1.4
>
>   

You can not assign the same ip to both servers.
How would the router route the packets???
If the servers are on the SAME PHYSICAL network then you get an IP 
collision and they would deny to talk to the net... (Try this with 2 
Winsucks computers... :) )

The routing is based on IP and not on MAC !!!

> (Hostbased routing) would be enough. Sure the router can not distinguish between the IPs, but he could distinguish between the MACs, so would it be possible to do Masquerading based on MAC-Adresses?
>
>   
>> But you'd not even get that far.
>> When you send a packet from a client to the server and this server has same IP
>> as the client (thus src and dst IP are the same), then the packet wouldn't
>> even make it to the router: it would be sent to itself.
>>     
>
> Mhm, i don't understand that. Let me explain my setup in greater detail:
>
> 	Server1---------|
> 			|
> 			|
> 			|
> 	Server2-------Router-------Client
> 			|
> 			|
> 			DB
>
>   

Well for this scenario you can set up some load-balancing...

1. With DNS-balancing.
This is not that list ... :)

2. With iptables balancing.

iptables man pages:

"
   BALANCE
       This allows you to DNAT connections in a round-robin way over a 
given range of destination addresses.

       --to-destination ipaddr-ipaddr
              Address range to round-robin over.
"

"
   DNAT
       This target is only valid in the nat table, in the PREROUTING and 
OUTPUT chains, and user-defined chains which are only called from those 
chains.  It specifies that the
       destination  address of the packet should be modified (and all 
future packets in this connection will also be mangled), and rules 
should cease being examined.  It takes
       one type of option:

       --to-destination [ipaddr][-ipaddr][:port-port]
              which can specify a single new destination IP address, an 
inclusive range of IP addresses, and optionally, a port range (which is 
only valid  if  the  rule  also
              specifies -p tcp or -p udp).  If no port range is 
specified, then the destination port will never be modified. If no IP 
address is specified then only the desti-
              nation port will be modified.

              In Kernels up to 2.6.10 you can add several 
--to-destination options.  For those kernels, if you specify more than 
one destination address, either via an address
              range  or multiple --to-destination options, a simple 
round-robin (one after another in cycle) load balancing takes place 
between these addresses.  Later Kernels
              (>= 2.6.11-rc1) don't have the ability to NAT to multiple 
ranges anymore.
"

Let assume these settings:

c (client)
            192.168.1.52
s (virtual server)
            192.168.1.4
s1 (server)
            10.0.0.1
s2 (server)
            10.0.0.2

	     s1---------\
			|
			|
			|
	     s2-------Router-------c
                        |
			|
			DB

iptables -t nat -A PREROUTING -j BALANCE -d 192.168.1.4 --to-destination 10.0.0.1-10.0.0.2

iptables -t nat -A POSTROUTING -j SNAT -s 10.0.0.1 --to-source 192.168.1.4
iptables -t nat -A POSTROUTING -j SNAT -s 10.0.0.2 --to-source 192.168.1.4


Maybe this script is useful...
But maybe not... :)

You did not told us what kind of services will be on the servers...
Unfortunately with ftp these rules are not working... :)


> I want that Server 1 and Server2 have the same IP, although only Server1 should be accessible for clients.
> The reason for that is, that i want do some kind of load-balancing.
> The problem is, that both Servers need permanent access to the db, so the router should somehow translate/masquerade the ip of the server2, so that both servers can access the db at the same time.
>
> I know it sound weird :-)
>
>   

Just a little bit... :)

> Sincerely,
> Julian
>   

Swifty

Re: Two identical ips connected

[Nathan @ Netdigix Systems]

Pretty sure that will not work,  if you want to do some sort of failover or 
load balancing you should look at Keepalived or Ultramonkey.



Quoting Julian Hagenauer <chaosbringer@gmx.de>:

> Hi
> 
> > If you packet would make it to the router and the router had this
> configuration:
> > - eth0: 192.168.1.0/24
> > - eth1: 192.168.1.0/24
> > the router cannot distinguish the subnets.
> > 
> 
> Why so complicated.
> eth0: 192.168.1.4
> eth1: 192.168.1.4
> 
> (Hostbased routing) would be enough. Sure the router can not distinguish
> between the IPs, but he could distinguish between the MACs, so would it be
> possible to do Masquerading based on MAC-Adresses?
> 
> > But you'd not even get that far.
> > When you send a packet from a client to the server and this server has same
> IP
> > as the client (thus src and dst IP are the same), then the packet wouldn't
> > even make it to the router: it would be sent to itself.
> 
> Mhm, i don't understand that. Let me explain my setup in greater detail:
> 
> 	Server1---------|
> 			|
> 			|
> 			|
> 	Server2-------Router-------Client
> 			|
> 			|
> 			DB
> 
> I want that Server 1 and Server2 have the same IP, although only Server1
> should be accessible for clients.
> The reason for that is, that i want do some kind of load-balancing.
> The problem is, that both Servers need permanent access to the db, so the
> router should somehow translate/masquerade the ip of the server2, so that
> both servers can access the db at the same time.
> 
> I know it sound weird :-)
> 
> Sincerely,
> Julian
> 




thanks,
-Nathan
-http://www.netdigix.net

Re: Two identical ips connected

[Martijn Lievaart]

Julian Hagenauer wrote:

>Hi
>
>  
>
>>If you packet would make it to the router and the router had this configuration:
>>- eth0: 192.168.1.0/24
>>- eth1: 192.168.1.0/24
>>the router cannot distinguish the subnets.
>>
>>    
>>
>
>Why so complicated.
>eth0: 192.168.1.4
>eth1: 192.168.1.4
>
>(Hostbased routing) would be enough. Sure the router can not distinguish between the IPs, but he could distinguish between the MACs, so would it be possible to do Masquerading based on MAC-Adresses?
>
>  
>
>>But you'd not even get that far.
>>When you send a packet from a client to the server and this server has same IP
>>as the client (thus src and dst IP are the same), then the packet wouldn't
>>even make it to the router: it would be sent to itself.
>>    
>>
>
>Mhm, i don't understand that. Let me explain my setup in greater detail:
>
>	Server1---------|
>			|
>			|
>			|
>	Server2-------Router-------Client
>			|
>			|
>			DB
>
>I want that Server 1 and Server2 have the same IP, although only Server1 should be accessible for clients.
>The reason for that is, that i want do some kind of load-balancing.
>The problem is, that both Servers need permanent access to the db, so the router should somehow translate/masquerade the ip of the server2, so that both servers can access the db at the same time.
>
>  
>

Give both servers their own IP. Give one of the servers also the IP the 
clients use to access the server. When that server fails, assign that IP 
to the second server (also as secondary!) instead.

M4

Re: Two identical ips connected

[David Lang]

On Mon, 16 Oct 2006, Julian Hagenauer wrote:

> Hi,
> is it possible somehow possible to attach two computers with the same ip
> to a router, and let the router rewrite/masquerade the ip of one of
> those computers with iptables, so that both could be accessed with different ips?
>
> Can you give my some hints how this could be achieved?
>

you can't do it with one router, but you could with two routers

machineA 10.0.0.1
   |      machineB Natted as 10.0.0.2 by router1 (from the 192.168.1.2 that
   |      router2 makes it)
router1
   |      machine A Natted as 192.168.1.1 (by router1)
   |      machine B Natted as 192.168.1.2 (by router2)
router2
   |      machineA Natted as 10.0.0.2 by router2 (from the 192.168.1.1 that
   |      router2 makes it)
machineB 10.0.0.1

each machine would see the other as 10.0.0.2

very ugly, but if you can't do anything else, this approach can work.

David Lang

Re: Two identical ips connected

[G.W. Haywood]

Hi there,

On Mon, 16 Oct 2006 netfilter-request@lists.netfilter.org wrote:

> On Mon, October 16, 2006 09:55, Julian Hagenauer wrote:
> >
> > is it possible somehow possible to attach two computers with the same ip
>
> I don't think you can.

You can, but you don't want to.  It's one of many techniques used by
criminals to breach security.  You have to use some means of flooding
one of the machines' interfaces with so much traffic that it can't
respond as it should to IP traffic, then 'steal' packets to which it
would otherwise respond before it has a chance to do so.

You aren't thinking of becoming a criminal, are you?

--

73,
Ged.

Re: Two identical ips connected

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 16 Oct 2006, Julian Hagenauer wrote:

> Hi
>
>> If you packet would make it to the router and the router had this configuration:
>> - eth0: 192.168.1.0/24
>> - eth1: 192.168.1.0/24
>> the router cannot distinguish the subnets.
>>
>
> Why so complicated.
> eth0: 192.168.1.4
> eth1: 192.168.1.4
>
> (Hostbased routing) would be enough. Sure the router can not distinguish between the IPs, but he could distinguish between the MACs, so would it be possible to do Masquerading based on MAC-Adresses?
>
>> But you'd not even get that far.
>> When you send a packet from a client to the server and this server has same IP
>> as the client (thus src and dst IP are the same), then the packet wouldn't
>> even make it to the router: it would be sent to itself.
>
> Mhm, i don't understand that. Let me explain my setup in greater detail:
>
> 	Server1---------|
> 			|
> 			|
> 			|
> 	Server2-------Router-------Client
> 			|
> 			|
> 			DB
>
> I want that Server 1 and Server2 have the same IP, although only Server1 should be accessible for clients.
> The reason for that is, that i want do some kind of load-balancing.
> The problem is, that both Servers need permanent access to the db, so the router should somehow translate/masquerade the ip of the server2, so that both servers can access the db at the same time.


The VIP goes on the load balancer, the servers behind it have distict 
IP's, then your setup would work.  But, you are going to have to obtain or 
setup a server in front of the two servers to do the load balancing bhind 
to those servers.

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFQNiOst+vzJSwZikRAqyCAJ0bGx/8bMaxjyb/ISS5cKWWJbcGzACfQb0H
aMXNMR0g+jdCUe9IGQ+HBlM=
=KJJA
-----END PGP SIGNATURE-----