Route packets by source IP

Route packets by source IP

[Steffen Heil]

[-- Attachment #1: Type: text/plain, Size: 639 bytes --]

Hi

I have two servers, having public IPs A1, B1, connected via private IPs A2,
B2 on a openVPN network.
Now I need to make a service (port p) of server A1:p available via B1:p.
So I want to try the following:

1. At B: dnat every incoming connection for B1:p to A2:p.
    - this is to archieve my goal -
2. At A: Route every packet "from A2:P" to B2.
    - otherwise A would try to route to the client via its gateway, which
would fail because of the private sender ip. -

I think I can do the first:

iptables -t nat -I PREROUTING -p tcp --dport p -j DNAT --to A2:p

But I don't know how to do the second.
Any hints?

Regards,
  Steffen

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3109 bytes --]

Re: Route packets by source IP

[Grant Taylor]

On 03/18/08 07:01, Steffen Heil wrote:
> 2. At A: Route every packet "from A2:P" to B2.
>  - otherwise A would try to route to the client via its gateway, which
> would fail because of the private sender ip. -

> But I don't know how to do the second.
> 
> Any hints?

You need to use policy based routing.  In short, set up an additional 
routing table very similar to the main routing table save for using B as 
the default gateway rather than A.  Then you use Traffic Control (tc) 
rules to direct the kernel to use the new routing table for the traffic 
that you want to manually route.



Grant. . . .

Re: Route packets by source IP

[Franck JONCOURT]

Hi,



On Tue, 18 Mar 2008 09:18:30 -0500, Grant Taylor

<gtaylor@riverviewtech.net> wrote:

> On 03/18/08 07:01, Steffen Heil wrote:

>> 2. At A: Route every packet "from A2:P" to B2.

>>  - otherwise A would try to route to the client via its gateway, which

>> would fail because of the private sender ip. -

> 

>> But I don't know how to do the second.

>>

>> Any hints?

> 

> You need to use policy based routing.  In short, set up an additional

> routing table very similar to the main routing table save for using B as

> the default gateway rather than A.  Then you use Traffic Control (tc)

> rules to direct the kernel to use the new routing table for the traffic

> that you want to manually route.



This is perhaps not a good way to do, but I was thinking about using the

__ip route__ command.



ip route add 192.168.2.0/24 via 192.168.0.2



where 192.168.2.0/24 would be the B1 network and 192.168.0.2

would be the B2 ip address.



Is that wrong ?



---

Franck Joncourt

http://www.debian.org/ - http://smhteam.info/wiki/

Re: Route packets by source IP

[Grant Taylor]

On 03/19/08 13:21, Franck JONCOURT wrote:
> This is perhaps not a good way to do, but I was thinking about using 
> the __ip route__ command.
> 
> ip route add 192.168.2.0/24 via 192.168.0.2
> 
> where 192.168.2.0/24 would be the B1 network and 192.168.0.2 would be 
> the B2 ip address.
> 
> Is that wrong ?

"ip route" routes traffic based on destination IP address not 
necessarily the network that it would pass through to get there.  So if 
you have traffic headed to my web server, you can not use "ip route" to 
get it there with out specifying my servers IP address / subnet in the 
ip route command.



Grant. . . .

RE: Route packets by source IP

[Steffen Heil]

[-- Attachment #1: Type: text/plain, Size: 1806 bytes --]

Hi

> On 03/19/08 13:21, Franck JONCOURT wrote:
> > This is perhaps not a good way to do, but I was thinking 
> about using 
> > the __ip route__ command.
> > 
> > ip route add 192.168.2.0/24 via 192.168.0.2
> > 
> > where 192.168.2.0/24 would be the B1 network and 
> 192.168.0.2 would be 
> > the B2 ip address.
> > 
> > Is that wrong ?
> 
> "ip route" routes traffic based on destination IP address not 
> necessarily the network that it would pass through to get 
> there.  So if you have traffic headed to my web server, you 
> can not use "ip route" to get it there with out specifying my 
> servers IP address / subnet in the ip route command.

Right.
Even more: In my scenario the same client should be able to reach the
service using the public ip of both servers.
Therefor routing based on the destination (=client) ip is not possible at
all. However if the target ip was the A1 then reply as usual (use default
route) and if the target ip was A2 (only possible because it was forwarded
from B1) then route the packet to B2, where B will route the packets as
usual (using default route).

Regards,
  Steffen


-- Original Message ------------------------ 

Hi

I have two servers, having public IPs A1, B1, connected via private IPs A2,
B2 on a openVPN network.
Now I need to make a service (port p) of server A1:p available via B1:p.
So I want to try the following:

1. At B: dnat every incoming connection for B1:p to A2:p.
    - this is to archieve my goal -
2. At A: Route every packet "from A2:P" to B2.
    - otherwise A would try to route to the client via its gateway, which
would fail because of the private sender ip. -

I think I can do the first:

iptables -t nat -I PREROUTING -p tcp --dport p -j DNAT --to A2:p

But I don't know how to do the second.
Any hints?

Regards,
  Steffen

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3109 bytes --]

Re: Route packets by source IP

[Grant Taylor]

On 3/19/2008 5:03 PM, Steffen Heil wrote:
> Even more: In my scenario the same client should be able to reach the 
> service using the public ip of both servers.  Therefor routing based 
> on the destination (=client) ip is not possible at all.  However if 
> the target ip was the A1 then reply as usual (use default route) and 
> if the target ip was A2 (only possible because it was forwarded from 
> B1) then route the packet to B2, where B will route the packets as 
> usual (using default route).

Ok, going back and re-reading things, I'm getting a better picture.

It sounds like you have (one or more ports of) ExtA port forwarded to 
IntA and (one or more ports of) ExtB port forwarded to IntB.  You now 
want (one or more different ports of) ExtB port forwarded to IntA and 
possibly (one or more different ports of) ExtA port forwarded to IntB. 
This will allow IntA to effectively be accessed via one port range on 
ExtA and another port range of ExtB and possibly vice versa.

To make this simpler, I'm going to drop this down to one port on each 
server.

ExtA:80 port forwarded to IntA:80
ExtB:80 port forwarded to IntB:80

Let's see if I understand you correctly.  (In addition to what you 
already have) you now want ExtB:81 port forwarded to IntA:<something> 
and associated reply traffic to go back out ExtB, not the default of ExtA.

Presuming this is correct, you can fairly easily do this if you are 
willing to do something simple.  If you will send the traffic that you 
want to reply through the non default route to a different IP or port, 
you can easily use tc to match the traffic to use a different routing 
table and thus route out the non default interface.

You can either use a different port or a different IP address on the 
internal server(s).  You need something to be different between the 
traffic that comes in to the default and non default routes so that you 
have an easy way to identify the traffic and apply tc rules.

If you are talking about one service, say HTTP, you can probably easily 
use a different port.  However if you are wanting to do this with 
multiple services, it may be easier to use different IPs internally. 
This way, you can just match the internal source IP rather than the port.

Are you wanting to run similar services on both ExtA and ExtB, and have 
them be redundant of each other?  Presuming this is the case, this is 
what I'd recommend you do.  Get an additional IP address for each 
external connection.  The IPs don't need to be contiguous or even on the 
same subnet, they just need to route to your external connection.

ExtA1 is the existing IP on the A connection.
ExtA2 is the new IP on the A connection.
ExtB1 is the existing IP on the B connection.
ExtB2 is the new IP on the B connection.

IntA1 is the existing IP on the A server.
IntA2 is the new IP on the A server.
IntB1 is the existing IP on the B server.
IntB2 is the new IP on the B server.

ExtA1 port forwards to IntA1
ExtA2 port forwards to IntB2
ExtB1 port forwards to IntB1
ExtB2 port forwards to IntB2

Here is some ASCII art to help depict what is happening.

e  e     e  e
A  A     B  B
1  2     2  1
|  |     |  |
|   \   /   |
|    \ /    |
|     X     |
|    / \    |
|   /   \   |
|  |     |  |
i  i     i  i
A  A     B  B
1  2     2  1

This will allow server A to be accessed by either ExtA1 or ExtB2 and 
server B to be accessed by either ExtB1 or ExtA2.

Seeing as how you have two different IP addresses on each internal 
server, you can easily have tc use one set of routing tables for one IP 
and the other set of routing tables for the other IP.

Before I go in to tc rules, would this scenario suffice what you are 
trying to do?

Also, this will scale up to allow an additional 3rd connection with two 
IPs by adding a 3rd IP to each server and extending the port forwarding 
and routing tables.  ExtC1 would port forward to IntA3 and ExtC2 would 
port forward to IntB3, thus giving each internal server three external 
IPs that they could be accessed by.



Grant. . . .

RE: Route packets by source IP

[Steffen Heil]

[-- Attachment #1: Type: text/plain, Size: 3356 bytes --]

Hi

> It sounds like you have (one or more ports of) ExtA port 
> forwarded to IntA and (one or more ports of) ExtB port 
> forwarded to IntB.  You now want (one or more different ports 
> of) ExtB port forwarded to IntA and possibly (one or more 
> different ports of) ExtA port forwarded to IntB. 
> This will allow IntA to effectively be accessed via one port 
> range on ExtA and another port range of ExtB and possibly vice versa.

No.
There is no firewall or such in front.
I DO have 2 public reachable Servers with 1 public IP each and a openVPN
connection between them giving each 1 additional private IP.

Now I want to make some services on server A accessable though the public IP
of server B. (While they stay reachable on the public IP of server A.)

To simplify things:
The private openvpn IP of both servers is not used for anything else. Just
the connection between these two servers.
You can think of only making one service available - everything else will
just duplicate iptables commands.

> Let's see if I understand you correctly.  (In addition to 
> what you already have) you now want ExtB:81 port forwarded to 
> IntA:<something> and associated reply traffic to go back out 
> ExtB, not the default of ExtA.

This is nearly what I want:
I want to forward ExtB:80 to be forwarded to IntA:80 and associated reply
traffic to go back out ExtB, not default ExtA.
(The client should not notice A at all.)

B will not provide any own service at the ports in question.

> Presuming this is correct, you can fairly easily do this if 
> you are willing to do something simple.  If you will send the 
> traffic that you want to reply through the non default route 
> to a different IP or port, you can easily use tc to match the 
> traffic to use a different routing table and thus route out 
> the non default interface.

What is tc and how is it set up ?

> You can either use a different port or a different IP address 
> on the internal server(s).  You need something to be 
> different between the traffic that comes in to the default 
> and non default routes so that you have an easy way to 
> identify the traffic and apply tc rules.

Everything that comes on the private ip (openvpn ip) applies.
That ip is not used for anything else.

> Are you wanting to run similar services on both ExtA and 
> ExtB, and have them be redundant of each other?

No.

I need this setup for two things, one is hard to explain, so I will skip it,
the other is easy:
I need to transfer a service which cannot run on two servers in parallel
from one host to another.
The problem is, that clients are connecting all the time and do this by DNS.
Now changing DNS needs some time to timeout the caches and I do have near by
no controll over the dns servers. The TTL is two days.
So I need the very same instance of one service to be reachable by two ips
on two different servers (at two different providers).

> Before I go in to tc rules, would this scenario suffice what 
> you are trying to do?

Your scenario was much more than I need.
You involved 4 systems (ext and int, A and B). I only have 2 and I will
never need to do all this in two directions. In both my use cases, there is
only a need to forward from B to A, never from A to B at the same time.

Any help to starting points for the configuration commands is appreciated.

Regards,
  Steffen

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3109 bytes --]

Re: Route packets by source IP

[Grant Taylor]

On 03/19/08 19:30, Steffen Heil wrote:
> No.  There is no firewall or such in front.  I DO have 2 public 
> reachable Servers with 1 public IP each and a openVPN connection 
> between them giving each 1 additional private IP.

Ok...

> Now I want to make some services on server A accessable though the 
> public IP of server B. (While they stay reachable on the public IP of 
> server A.)

*nod*

> To simplify things:  The private openvpn IP of both servers is not 
> used for anything else. Just the connection between these two 
> servers.  You can think of only making one service available - 
> everything else will just duplicate iptables commands.

It sounds like the OpenVPN IP will work for the routing where I was 
previously talking about the additional IP.

> This is nearly what I want:  I want to forward ExtB:80 to be 
> forwarded to IntA:80 and associated reply traffic to go back out 
> ExtB, not default ExtA. (The client should not notice A at all.)

Right.

> B will not provide any own service at the ports in question.

Ok, this makes things simpler.  As long as the ports you want redirected 
to A are not in use by B, you can get away with one IP on B.  (And vice 
versa if you ever wanted to do the same or for others searching the 
archives later.)

> What is tc and how is it set up ?

Now that I've had more sleep, I think I've slightly mis-lead you.  "tc" 
or traffic control is the command you use under Linux to set up QoS. 
"tc" is usually used in close conjunction with the "ip" command.  It is 
actually the "ip" command (my mistake before) that you will use to 
create rules to decide what routing tables to use when sending the 
traffic out.  (Once I have the basic idea you are after correct I'll go 
in to mach setups for you.)

> Everything that comes on the private ip (openvpn ip) applies. That ip 
> is not used for anything else.

Ok, good.

Is it fair to say your layout is more like this:

   e                     e
   A                     B
+-+-+                 +-+-+
| A +-oA-(OpenVPN)-oB-+ B |
+---+                 +---+

In this case, you will port forward eB to oA.  If you wanted to you 
could port forward eA to oB too.

> No.

Again, this will make things simpler.

> I need this setup for two things, one is hard to explain, so I will 
> skip it, the other is easy:  I need to transfer a service which 
> cannot run on two servers in parallel from one host to another.  The 
> problem is, that clients are connecting all the time and do this by 
> DNS.  Now changing DNS needs some time to timeout the caches and I do 
> have near by no controll over the dns servers. The TTL is two days. 
> So I need the very same instance of one service to be reachable by 
> two ips on two different servers (at two different providers).

(I'll make this short and sweet.)  I understand as much as I need to. 
And "I'm sorry.".  ;)

> Your scenario was much more than I need.  You involved 4 systems (ext 
> and int, A and B). I only have 2 and I will never need to do all this 
> in two directions. In both my use cases, there is only a need to 
> forward from B to A, never from A to B at the same time.

*nod*  Let's try this scenario.

> Any help to starting points for the configuration commands is 
> appreciated.

(Using the above diagram.)

Port forward the service in question from eB to oA.  Set up an "ip rule" 
(and dependent routing tables) that will cause A to rout any traffic 
that comes in to oA out through oB.  This way any traffic that comes in 
to A via eA or lo will be routed just like it is now.  Any traffic that 
comes in to A via oA will be routed out through oB and summarily back 
out eB which it came in to.

Does this do what you are wanting to do?  If it does let me know and 
we'll get started on the ip rules and routing tables.



Grant. . . .