Hi,
On Fri, Jan 16, 2009 at 11:19, Thom Paine <painethom at gmail.com>
wrote:> Is there some step with networking that I am missing in getting this to
work?
Yes, the packet must return to the original source in the Internet
with the y.y.y.y source IP.
Your machine with IP x.x.x.x probably has a default gateway in eth0,
so it will probably try to return the packets through that interface.
I see three alternatives here to make this work:
1) Route any TCP packets with source IP 10.10.10.1 and source port 25
using 10.10.10.4 as the gateway. This can be done with help of the
utilities in the iproute2 package, with the "ip" command (see
"man
ip"). This is quite complex but I'm almost sure it can be done. Read
http://lartc.org/howto/. I think you can also use iptables to mark the
packages with that specification and then use the "ip" command to
route them through that gateway.
2) Configure the NAT of the machine with IP y.y.y.y to rewrite the
packets to y.y.y.y:25 not only with new destination 10.10.10.1:25 but
with source 10.10.10.4. That way the connection will return to the
machine with IP y.y.y.y that will be able to NAT it back to the
original y.y.y.y:25 address on the source and the original address on
the internet as the destination. The problem here is that the box with
IP x.x.x.x does not know from where the original connection came, it
looks like all the connections are coming from 10.10.10.4.
3) Configure the machine with IP y.y.y.y to send the packets unchanged
to machine with IP 10.10.10.1, that is, with y.y.y.y still as the
destination address (in other words, no NAT is being done here, the
machine is only using 10.10.10.1 to resolve a MAC address and forward
the packet to that machine). Machine with IP x.x.x.x *must* have
y.y.y.y/32 as an alias in one of the interfaces, otherwise it will
reject the packet. Usually the loopback interface is the one used for
that (add the y.y.y.y IP to lo:0). This way, the machine with IP
x.x.x.x will return the packets through the original source in the
Internet through its eth0 interface, the one with x.x.x.x IP, but as
the packets have never been rewritten and the machine considers
y.y.y.y an IP of its own, it is going to send the packet back with
source y.y.y.y:25, which is what is needed for the original host to
recognize the connection. This will make the traffic asymetric,
entering your network through the y.y.y.y Internet line, but leaving
through the x.x.x.x Internet line. Not 100% sure on how to implement
the tricky routing without NATing on Linux, almost sure it's possible
though. It will probably involve iptables to mark the connection and
then using the tools in iproute2 to route them without rewriting.
There is a slight issue here that from host with IP x.x.x.x you will
not be able to start connections to y.y.y.y and have them routed
(through the Internet) to your other host, but you will still reach it
through 10.10.10.4 which is probably what you will want.
> (I use gshield)
Then you should probably ask in a gshield mailing list how to do it
with that specific tool. All of the above assumes iptables and
iproute2 only, so it might not be directly applicable on the gshield
configuration you already have.
On Fri, Jan 16, 2009 at 17:57, nate <centos at linuxpowered.net>
wrote:> If it was my setup I wouldn't do either instead I would fire up a
> VM that had the other gateway as it's default gateway, keep it
> simpler.
Just my opinion, but I wouldn't say that firing up a VM would make
anything "simpler"... Now instead of one problem you got two... :-)
Not to say that it wouldn't be possible, and if you're well versed in
VM technology and already have the infrastructure it may be a good way
to solve such a problem. However, if you don't, then you will have to
worry about VM-specific issues, VM-specific networking (which can get
quite tricky, especially in a host with more than one interface),
VM-related performance issues... Not to mention that you have to
administrate, maintain and update two hosts instead of one.
In the case of the OP, I would urge him to evaluate if that network
topology really makes sense. Does it make sense having two hosts with
two different connections? In that case, does it make sense to run
services like mail/web servers on these hosts? Shouldn't they be
dedicated routers/firewalls instead? And do you really need to use
port forwarding connections to a host that is already directly
connected to the internet?
HTH,
Filipe