Per-client routing, plus masquerading -- possible?

[ Oops, sent this to netfilter-devel before I realized this
list
existed.  D'oh! ]


Hi,

I'm trying to set up a Linux box as a NATting router.  But
here's the
trick: my box's external interface is on a LAN that has a
whole bunch
of next-hop routers on it, any of which can be used to
access the
Internet.  I'm trying to figure out how to configure
iptables so that
the NAT box selects the router to use based on client IP
address
(i.e., the IP address on the inside interface).

In other words -- I'd like ipfilter to keep the destination
IP address
unchanged, but select a next-hop destination (e.g., by
changing the
destination MAC address) based on the source IP.   And, on
top of all
this, mangle the source address according to normal
masquerading.

I've been tinkering with a command like this:

iptables -t nat -A POSTROUTING -i $INTERNAL_CLIENT_IP -o
external-iface0 -j SNAT --to $EXTERNAL_ROUTER_IP

...but it seems that --to controls the new source address
given to the
packet (i.e., the router's outside-interface IP), and not
the
destination to which the NATted packet is sent.

Could someone please point me in the right direction?  Or is
this not possible?

Thanks!

--Jeremy

Jeremy Elson wrote:

> I've been tinkering with a command like this:
> 
> iptables -t nat -A POSTROUTING -i $INTERNAL_CLIENT_IP
-o
> external-iface0 -j SNAT --to $EXTERNAL_ROUTER_IP
> 
> ...but it seems that --to controls the new source
address given to the
> packet (i.e., the router's outside-interface IP), and
not the
> destination to which the NATted packet is sent.

This is correct. SNAT is not about routing packets; it's
for changing 
the source address of a packet.

> Could someone please point me in the right direction? 
Or is this not possible?

What you want to do is possible but you'll need to employ
source policy 
routing using the "ip" command. This isn't part
of the netfilter 
project. In simple terms, you need to set up routes for each
client 
IP/network and gateway you want to use.

The Linux Advanced Routing & Traffic Control HOWTO
covers source policy 
routing among other things. The routing policy database
section should 
get you on right track: http://lartc.o
rg/howto/lartc.rpdb.html

HTH,
Menno



Scanned by the NetBox from NetBox Blue
(http://netboxblue.com/)

On 3/22/06, Menno Smits <mennonetboxblue.com> wrote:
> > Could someone please point me in the right
direction?  Or is this not possible?
>
> What you want to do is possible but you'll need to
employ source policy
> routing using the "ip" command.

Thank you; this worked beautifully!

I have one more quick question: is there some way to get
iptables -L
to show full rules?  It seems that there are some aspects of
the rules
that exist but are not printed, such as the interface
selected.  In
other words:  when I type a command like:

 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

... and then later check my work with iptables -t nat -L, it
doesn't
show "tap0" anywhere.   I actually mistyped this
as "eth" (without the
0) -- the original iptables command did not give me an error
(non-existant interface!), and the -L command didn't show
me the error
:-(.

But, overall it works great.  Just for other people's
reference: I
solved this using a combination of source policy routing
using
iproute2 (the IP command), plus masquerading using iptables.

Specifically:

Step 1 -- Give my gateway an inside address (GW_INSIDE) and
an outside
address (GW_OUTSIDE)

Step 2 -- Give an inside client, with ip CLIENT1_IP, a
default router
of GW_INSIDE

Step 3 --  ip rule add from CLIENT_IP table CLIENT1 prio 100

(CLIENT1 is the name of a routing table added to
/etc/iproute2/rt_tables)

Step 4 -- ip route replace default table CLIENT1 via
DESIRED_GATEWAY

In this case DESIRED_GATEWAY is the IP of the gateway I want
CLIENT1
to use -- one of the real internet routers that's on the
same network
as GW_OUTSIDE.

This almost works, except that DESIRED_GATEWAY ends up
receiving
packets that have CLIENT_IP as a source IP, and the gateway
has never
heard of that network.  So as the final piece, add
masquerading using
iptables:

Step 5 --  iptables -t nat -A POSTROUTING -o outside0 -j
MASQUERADE

where outside0 is the name of the outside interface, i.e.
the one with
GW_OUTSIDE and DESIRED_GATEWAY on it.

Thanks.

Jeremy

Hi Jeremy,

On Thu, Mar 23, 2006 at 01:35:20AM -0800, Jeremy Elson told
us:
> I have one more quick question: is there some way to
get iptables -L
> to show full rules?  It seems that there are some
aspects of the rules
> that exist but are not printed, such as the interface
selected.  In
> other words:  when I type a command like:
>
>  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

try

iptables -L -v

this will give you additional information about your rules!

> ... and then later check my work with iptables -t nat
-L, it doesn't
> show "tap0" anywhere.   I actually mistyped
this as "eth" (without the
> 0) -- the original iptables command did not give me an
error
> (non-existant interface!), and the -L command didn't
show me the error
> :-(.

I don't think iptables checks if the interface exists on
rule
insertion time. Which makes sense in my opinion, so you can
add
rules e.g. for device ppp0 (or even all devices beginning
with 'ppp'
as expressed by 'ppp+') before the specific device has
been created.

hope that helps!!


have a nice day 

Sven

--
Linux zion.homelinux.com 2.6.16-rc3-mm1_27 #27 Wed Feb 15
17:51:36 CET 2006 i686 athlon i386 GNU/Linux
 13:15:01 up 33 days, 17:30,  1 user,  load average: 0.18,
0.31, 0.46

Jeremy Elson wrote:
> [ Oops, sent this to netfilter-devel before I realized
this list
> existed.  D'oh! ]
> 
> 
> Hi,
> 
> I'm trying to set up a Linux box as a NATting router. 
But here's the
> trick: my box's external interface is on a LAN that
has a whole bunch
> of next-hop routers on it, any of which can be used to
access the
> Internet.  I'm trying to figure out how to configure
iptables so that
> the NAT box selects the router to use based on client
IP address
> (i.e., the IP address on the inside interface).
> 
> In other words -- I'd like ipfilter to keep the
destination IP address
> unchanged, but select a next-hop destination (e.g., by
changing the
> destination MAC address) based on the source IP.   And,
on top of all
> this, mangle the source address according to normal
masquerading.
> 
> I've been tinkering with a command like this:
> 
> iptables -t nat -A POSTROUTING -i $INTERNAL_CLIENT_IP
-o
> external-iface0 -j SNAT --to $EXTERNAL_ROUTER_IP
> 
> ...but it seems that --to controls the new source
address given to the
> packet (i.e., the router's outside-interface IP), and
not the
> destination to which the NATted packet is sent.
> 
> Could someone please point me in the right direction? 
Or is this not possible?
> 
> Thanks!
> 
> --Jeremy
> 

You just want do to source routing, look here

http://www.linuxguruz.com/iptables/howto/2.4rout
ing-4.html#ss4.1

Sven Schuster wrote:

> try
> 
> iptables -L -v
> 
> this will give you additional information about your
rules!

Yep. -x and -n are also quite useful when viewing your
configuration. 
"man iptables" is your friend.

> I don't think iptables checks if the interface exists
on rule
> insertion time. Which makes sense in my opinion, so you
can add
> rules e.g. for device ppp0 (or even all devices
beginning with 'ppp'
> as expressed by 'ppp+') before the specific device
has been created.

Agreed. Being able to insert rules for non-existent
interfaces is 
definitely desirable and by design. It means rules can be in
place 
before an interface comes up or even exists. This is highly
useful from 
a security perspective and also provides flexibility about
when you set 
up your firewall.

Menno




Scanned by the NetBox from NetBox Blue
(http://netboxblue.com/)