Hi gurus,
I need a way to do SNAT based on source mac before routing. This is because
hosts attached to my gateway can have duplicate IP addresses, and I have to
distinguish over them.
I tried to use the nat tool that comes with iproute2, but this force to make
a mapping only address to address, and I wanted to do it by mark (I also use
iptables to do that). For example, I tried to do that:
iptables -t mangle -A PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX -j
MARK --set-mark 1
ip rule add fwmark 1 nat to a.b.c.d lookup table <table>
And so I also did:
ip route add nat a.b.c.d via e.f.g.h
(where e.f.g.h. is the IP associated with mac XX:XX:XX:XX:XX:XX)
This doesn''t work.
I also tried to do a loop with the packets, forwarding them for the first
time through the loopback interface (doing SNAT in POSTROUTING with iptables)
and routing correctly for the next time they come (having passed through lo).
I do this marking the packets coming from lo interface, and having an
according ip rule that force them to go through the correct output interface
(let be eth1). This way, I would want to be able to make a diferent routing
policy for each host (because de nat''ed address is different from each
other).
The only thing I observe is a funny looping that makes packets go round my box
until they die (TTL=0).
Can someone help me, please?
Thanks in advance, and excuse my long mail.
Eduard.
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
As far as I know you cannot do SNAT in PREROUTING. If I understand your situation correctly what you can do is to mark the packets like you do below and route them with iproute2 according to that mark and at the very end of the packet flow in your linux box you can SNAT based on the MAC: 1) When the packet arrives: iptables -t mangle -A PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX -j MARK --set-mark 1 2) Use the mark to route the packet through the right interface: ip rule add fwmark 1 table 7 3) SNAT the packet right before it leaves the linux box: iptables -t nat -A POSTROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX -j SNAT --to a.b.c.d Ramin On Wed, Nov 20, 2002 at 08:09:17PM +0100, Eduard Calvo (B-teljpa) EXP JAN 03 wrote:> > Hi gurus, > > I need a way to do SNAT based on source mac before routing. This is because > hosts attached to my gateway can have duplicate IP addresses, and I have to > distinguish over them. > > I tried to use the nat tool that comes with iproute2, but this force to make > a mapping only address to address, and I wanted to do it by mark (I also use > iptables to do that). For example, I tried to do that: > > iptables -t mangle -A PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX -j > MARK --set-mark 1 > ip rule add fwmark 1 nat to a.b.c.d lookup table <table> > > And so I also did: > > ip route add nat a.b.c.d via e.f.g.h > (where e.f.g.h. is the IP associated with mac XX:XX:XX:XX:XX:XX) > > This doesn''t work. > > I also tried to do a loop with the packets, forwarding them for the first > time through the loopback interface (doing SNAT in POSTROUTING with iptables) > and routing correctly for the next time they come (having passed through lo). > I do this marking the packets coming from lo interface, and having an > according ip rule that force them to go through the correct output interface > (let be eth1). This way, I would want to be able to make a diferent routing > policy for each host (because de nat''ed address is different from each other). > The only thing I observe is a funny looping that makes packets go round my box > until they die (TTL=0). > > Can someone help me, please? > Thanks in advance, and excuse my long mail. > > Eduard._______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi Ramin,
Thanks for your answer. But this solution is not suitable to me. This would
be a good solution if the only thing I had to do is to route packets based on
MAC. The problem is that I have to SNAT before routing.
The reason is that I have to capture http traffic and redirect it through a
local Apache Server that I have in my Linux box. The server has to be able to
distinguish over hosts, and if I do SNAT in postrouting it will see the real
ip address of the packet, and not the NAT''ed address. I wonder if maybe
Apache
has access to fields of the ip header (like TOS), because I would use these
fields to make Apache distinguish clients.
Another solution is to implement a local process that, for each packet
captured, NATs the source address. But I don''t know in which chain of
iptables
could it leave the packets...
Do you know another suitable alternative??
Please, excuse my english, it''s not my native language.
Thank you in advanced.
Eduard.
Mensaje citado por Ramin Alidousti <ramin@cannon.eng.us.uu.net>:
> As far as I know you cannot do SNAT in PREROUTING.
>
> If I understand your situation correctly what you can do
> is to mark the packets like you do below and route them
> with iproute2 according to that mark and at the very
> end of the packet flow in your linux box you can SNAT based
> on the MAC:
>
> 1) When the packet arrives:
> iptables -t mangle -A PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX -j
> MARK --set-mark 1
>
> 2) Use the mark to route the packet through the right interface:
> ip rule add fwmark 1 table 7
>
> 3) SNAT the packet right before it leaves the linux box:
> iptables -t nat -A POSTROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX -j
SNAT
> --to a.b.c.d
>
>
> Ramin
>
> On Wed, Nov 20, 2002 at 08:09:17PM +0100, Eduard Calvo (B-teljpa) EXP JAN
03
> wrote:
>
> >
> > Hi gurus,
> >
> > I need a way to do SNAT based on source mac before routing. This is
> because
> > hosts attached to my gateway can have duplicate IP addresses, and I
have
to >
> > distinguish over them.
> >
> > I tried to use the nat tool that comes with iproute2, but this force
to
> make
> > a mapping only address to address, and I wanted to do it by mark (I
also
> use
> > iptables to do that). For example, I tried to do that:
> >
> > iptables -t mangle -A PREROUTING -m mac --mac-source
XX:XX:XX:XX:XX:XX
-j >
> > MARK --set-mark 1
> > ip rule add fwmark 1 nat to a.b.c.d lookup table <table>
> >
> > And so I also did:
> >
> > ip route add nat a.b.c.d via e.f.g.h
> > (where e.f.g.h. is the IP associated with mac XX:XX:XX:XX:XX:XX)
> >
> > This doesn''t work.
> >
> > I also tried to do a loop with the packets, forwarding them for the
first >
> > time through the loopback interface (doing SNAT in POSTROUTING with
> iptables)
> > and routing correctly for the next time they come (having passed
through
> lo).
> > I do this marking the packets coming from lo interface, and having an
> > according ip rule that force them to go through the correct output
> interface
> > (let be eth1). This way, I would want to be able to make a diferent
routing >
> > policy for each host (because de nat''ed address is different
from each
> other).
> > The only thing I observe is a funny looping that makes packets go
round my
> box
> > until they die (TTL=0).
> >
> > Can someone help me, please?
> > Thanks in advance, and excuse my long mail.
> >
> > Eduard.
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thu, Nov 21, 2002 at 10:08:59AM +0100, Eduard Calvo (B-teljpa) EXP JAN 03 wrote:> > Hi Ramin, > > Thanks for your answer. But this solution is not suitable to me. This would > be a good solution if the only thing I had to do is to route packets based on > MAC. The problem is that I have to SNAT before routing. > > The reason is that I have to capture http traffic and redirect it through a > local Apache Server that I have in my Linux box. The server has to be able to > distinguish over hosts, and if I do SNAT in postrouting it will see the real > ip address of the packet, and not the NAT''ed address. I wonder if maybe Apache > has access to fields of the ip header (like TOS), because I would use these > fields to make Apache distinguish clients. > > Another solution is to implement a local process that, for each packet > captured, NATs the source address. But I don''t know in which chain of iptables > could it leave the packets... > > Do you know another suitable alternative??If you want to have a log of the HTTP activity based on the MAC then I''d suggest you to do something like this: iptables -t mangle -A PREROUTING -p tcp --syn --dport 80 -m mac \ --mac-source XX:XX:XX:XX:XX:XX -j LOG --log-prefix "Machine A" iptables -t mangle -A PREROUTING -p tcp --syn --dport 80 -m mac \ --mac-source YY:YY:YY:YY:YY:YY -j LOG --log-prefix "Machine B" iptables -t mangle -A PREROUTING -p tcp --syn --dport 80 -m mac \ --mac-source ZZ:ZZ:ZZ:ZZ:ZZ:ZZ -j LOG --log-prefix "Machine C" But if you want to do something at HTTP level based on the MAC, the only thing I can think of is to run apache at different ports and redirect the traffic based on the MAC to these seperate ports. Ramin> > Please, excuse my english, it''s not my native language. > Thank you in advanced. > > Eduard._______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Thu, 2002-11-21 at 10:08, Eduard Calvo (B-teljpa) EXP JAN 03 wrote:> > Hi Ramin, > > Thanks for your answer. But this solution is not suitable to me. This would > be a good solution if the only thing I had to do is to route packets based on > MAC. The problem is that I have to SNAT before routing. > > The reason is that I have to capture http traffic and redirect it through a > local Apache Server that I have in my Linux box. The server has to be able to > distinguish over hosts, and if I do SNAT in postrouting it will see the real > ip address of the packet, and not the NAT''ed address. I wonder if maybe Apache > has access to fields of the ip header (like TOS), because I would use these > fields to make Apache distinguish clients. >Hi Eduard, You will never get SNAT in PREROUTING in iptables/netfilter, because it would seriously mess up filtering and connection tracking :-) However, you should talk to Henrik Nordström of Squid proxy fame. Here is his homepage with contact email address on it: http://devel.squid-cache.org/hno/ Here''s the reason: for a very long time in the 2.4 series, it was impossible to do DNAT in the OUPUT chain (was a TODO item for the netfilter developers). Henrik had a patch he wrote that allowed DNAT in the OUTPUT chain and SNAT in the INPUT chain. This would allow you to solve your problem. However, apparently the SNAT part of the patch was quite intrusive, and IIRC had issues with conntrack/nat helpers. At 2.4.19-pre time, the "DNAT in OUTPUT" part of the patch was aacepted by the netfilter coreteam and merged, but the "SNAT in INPUT" part of the patch got rejected. There was some discussion, and part of why it didn''t get merged was that there weren''t enough real-world scenario''s people could come up with to convince the coreteam to accept this (the intrusiveness of the patch probably being another major reason :-)). I guess Henrik, being a Squid lead developer, could see the usefulness of this patch at the time. I think an obsolete version of the patch is still in the netfilter patch-o-matic. It will almost certainly not apply to 2.4.20-pre/rc/final because of the newnat merge. Henrik''s a very nice and helpful guy, so you may try emailing him about your problem - he may offer some help or additional insight. It would be nice to subscribe to the netfilter-devel list for your problem and include the netfilter developers in the mailloop. The information I am presenting you is many months old so there may be stuff I am missing and people may have new insights into the problem... Regards, Filip _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/