* How to SNAT in PREROUTING table for local machine
@ 2008-06-19 12:06 Tobias Krummen
2008-06-19 17:00 ` Grant Taylor
2008-06-20 10:22 ` Patrick McHardy
0 siblings, 2 replies; 4+ messages in thread
From: Tobias Krummen @ 2008-06-19 12:06 UTC (permalink / raw)
To: netfilter
Hello,
due to a project, I wonder if it's possible to use netfilter and iptables to
alter the source ip-address of incoming packets.
In this particular case, a machine is running a service, which is listening
on two interfaces, one ethernet interface on the local network, and an
interface for vpn. The local network is a /24 net, the vpn has addresses
from a class a /8 network. But the service is only able to accept
connections from a /24 subnet.
First idea was to manipulate the source ip-address of the incoming packets,
like SNAT does. So the other way round, with NAT the original ip-addresses
could be restored, when the service is answering.
This manipulation has to be done within the PREROUTING table, as the packet
still needs to get delivered to the local machine. But it seems that SNAT is
only available in the POSTROUTING table. With DNAT it is possible to route
the packets from the /8 subnet to the ip-address of the machine in the /24
subnet, but the packets do still have their source addresses from the /8
network, and the service is refusing to answer.
$IPTABLES -t nat -A PREROUTING -i $VPNIF -s $VPNNET -d $VPNIP -j
DNAT --to-destination $LAN1IP
It does'nt matter, if with this kind of NAT it would only be possible to get
only 253 hosts connected and not all hosts within the /8 subnet.
Second idea was using the mangle-table to manipulate the ip-address. Even
though it would need up to 253 x 2 rules, one set for mapping the
source-addresses of the incoming packets, and one set for remapping the
destination-addresses of the outgoing packets. But the mangle-table provides
only targets for manipulating classification, connection marking, packet
marking, DSCP, ECN, TOS, TTL... but no ip-address related targets?
So, is there a way to change the source ip-address of incoming packets with
the given possibilities of netfilter, or are there other tools to get this
done?
A rule like the following is unfortunatly not possible:
$IPTABLES -t nat -A PREROUTING -i $VPNIF -s $VPNNET -d $VPNIP -j
SNAT --to-source $LAN2IP_1-$LAN2IP_253
$LAN2 would be a different /24 subnet, so it wouldn't interfere with the
attached local network.
--
Greetings,
Tobias Krummen
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: How to SNAT in PREROUTING table for local machine
2008-06-19 12:06 How to SNAT in PREROUTING table for local machine Tobias Krummen
@ 2008-06-19 17:00 ` Grant Taylor
2008-06-20 10:22 ` Patrick McHardy
1 sibling, 0 replies; 4+ messages in thread
From: Grant Taylor @ 2008-06-19 17:00 UTC (permalink / raw)
To: Mail List - Netfilter
On 06/19/08 07:06, Tobias Krummen wrote:
> So, is there a way to change the source ip-address of incoming packets
> with the given possibilities of netfilter, or are there other tools to
> get this done?
You might look in to trying to use bridging. Bridge the VPN
interface(s) and bind your service to the bridge interface. This would
allow you to use EBTables to alter traffic as it comes in to the system.
Another option would be to use some sort of proxy application (like
rinetd or socat) to accept the connections and then proxy them in to
your service. Your service would see all the connections as coming from
the rinetd daemon's IP but at least all your /8 systems would be able to
connect to the service.
Grant. . . .
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: How to SNAT in PREROUTING table for local machine
2008-06-19 12:06 How to SNAT in PREROUTING table for local machine Tobias Krummen
2008-06-19 17:00 ` Grant Taylor
@ 2008-06-20 10:22 ` Patrick McHardy
2008-06-20 10:58 ` Jan Engelhardt
1 sibling, 1 reply; 4+ messages in thread
From: Patrick McHardy @ 2008-06-20 10:22 UTC (permalink / raw)
To: Tobias Krummen; +Cc: netfilter
Tobias Krummen wrote:
> So, is there a way to change the source ip-address of incoming packets
> with the given possibilities of netfilter, or are there other tools to
> get this done?
You need to add an INPUT chain to the NAT table to do this
and adjust the HOOK2MANIP macro to deal with this.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: How to SNAT in PREROUTING table for local machine
2008-06-20 10:22 ` Patrick McHardy
@ 2008-06-20 10:58 ` Jan Engelhardt
0 siblings, 0 replies; 4+ messages in thread
From: Jan Engelhardt @ 2008-06-20 10:58 UTC (permalink / raw)
To: Patrick McHardy; +Cc: Tobias Krummen, netfilter
On Friday 2008-06-20 12:22, Patrick McHardy wrote:
> Tobias Krummen wrote:
>> So, is there a way to change the source ip-address of incoming packets with
>> the given possibilities of netfilter, or are there other tools to get this
>> done?
>
> You need to add an INPUT chain to the NAT table to do this
> and adjust the HOOK2MANIP macro to deal with this.
Alternatively, RAWNAT is supposed do this with the existing 'raw'
table, before conntracking is involved; and on the output path, uses
a 'rawpost' table that comes after conntracking. It is fully modular
and it is not required to touch any in-kernel code.
I have not lately tested this target though, so some adjustments
might be needed.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2008-06-20 10:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-06-19 12:06 How to SNAT in PREROUTING table for local machine Tobias Krummen
2008-06-19 17:00 ` Grant Taylor
2008-06-20 10:22 ` Patrick McHardy
2008-06-20 10:58 ` Jan Engelhardt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox