thr3ads.net - LARTC - snooping - the crux of the problem [Jul 2003]

If this information is useful, please help other people find it:
Share via:

Jim Redman

2003-Jul-28 17:24 UTC

snooping - the crux of the problem

I have a computer with two interfaces, say with addresses 192.168.1.1 
and 192.168.1.2.  I want to set up routing such that when I ping 
192.168.1.1 it goes out through 192.168.1.2 and not to the local 
interface. 
Is this possible - all my attempts so far have been unsuccessful?  If 
so, pointers, etc. would be gratefully appreciated.

Jim

-- 

Jim Redman
(505) 662 5156 x85
http://www.ergotech.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Madhuri Patwardhan

2003-Jul-29 04:45 UTC

head link

Re: snooping - the crux of the problem

Have you tried adding static route for 192.168.1.1 via 192.168.1.2 ?

Madhuri


On Mon, 28 Jul 2003, Jim Redman wrote:
>
> I have a computer with two interfaces, say with addresses 192.168.1.1
> and 192.168.1.2.  I want to set up routing such that when I ping
> 192.168.1.1 it goes out through 192.168.1.2 and not to the local
> interface.
> Is this possible - all my attempts so far have been unsuccessful?  If
> so, pointers, etc. would be gratefully appreciated.
>
> Jim
>
> --
>
> Jim Redman
> (505) 662 5156 x85
> http://www.ergotech.com
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Jim Redman

2003-Jul-30 05:44 UTC

head link

snooping - plan B

On 2003.07.28 11:24, Jim Redman wrote:> 
> I have a computer with two interfaces, say with addresses 192.168.1.1 
> and 192.168.1.2.  I want to set up routing such that when I ping 
> 192.168.1.1 it goes out through 192.168.1.2 and not to the local 
> interface. Is this possible - all my attempts so far have been 
> unsuccessful?  If so, pointers, etc. would be gratefully appreciated.
> 
OK, assuming this to be impossible.  Let''s try the ARP approach.  
I want to set up eth0 with ip 192.168.3.1 nat all packet addressed to 
192.168.1.1 to 192.168.3.1 and ARP the address of 192.168.1.1 into 
eth0.  I still have some problems, any suggestions appreciated.  Here''s
what I''ve tried (along with many variations):

arp -i eth0 -Ds 192.168.1.1 eth0 pub
ip route add nat 192.168.1.1 via 192.168.3.1
ip rule add from 192.168.3.1 nat 192.168.1.1

this alone is not sufficient, so I''ve tried adding routes for 
192.168.1.1

ip route add 192.168.1.1 dev eth0 
and so forth.  I haven''t yet been successful and would apprciate any 
help.

Thanks,

Jim

-- 

Jim Redman
(505) 662 5156 x85
http://www.ergotech.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Martin A. Brown

2003-Jul-30 06:49 UTC

head link

Re: snooping - plan B

Jim,

First, let me say that I may not have caught all of your plan...but here
goes....

If you really wish to modify application layer data, shouldn''t you be
looking at divert sockets [1], tun/tap usage [2], or optimally home-grown
code?

 : OK, assuming this to be impossible.  Let''s try the ARP approach.  I
 : want to set up eth0 with ip 192.168.3.1 nat all packet addressed to
 : 192.168.1.1 to 192.168.3.1 and ARP the address of 192.168.1.1 into
 : eth0.  I still have some problems, any suggestions appreciated.
 : Here''s what I''ve tried (along with many variations):

Hmmmmm....  I haven''t ever tried to do exactly what you seem to suggest
here, but this may be an interesting approach.  If you are going to use
NAT to solve your problem, you can try NATting each host into the other.

 : arp -i eth0 -Ds 192.168.1.1 eth0 pub
 : ip route add nat 192.168.1.1 via 192.168.3.1
 : ip rule add from 192.168.3.1 nat 192.168.1.1

 [ Note: I''m using the IP ranges you suggested in a prior mail. ]

  host-0                  +--------+               host-1
192.168.253.1 <--> eth0 <-- snoopy --> eth1 <--> 192.168.253.2
                          +--------+

Assuming that you want host-0 to reach host-1, but only through snoopy,
and you don''t want to alter any network addressing on either host-0 or
host-1:

# ip route add 192.168.253.1 dev eth0
# ip route add 192.168.253.2 dev eth1
# ip route add nat 192.168.253.102 via 192.168.253.2 iif eth0
# ip rule add nat 192.168.253.102 from 192.168.253.2 iif eth1
# ip route add nat 192.168.253.101 via 192.168.253.1 iif eth1
# ip rule add nat 192.168.253.101 from 192.168.253.1 iif eth0

The nat route entry in the local routing table will take care of the ARP
advertising for you, so any packets from host-0 addressed to
192.168.253.102 should end up on 192.168.253.2, but with a source address
of 192.168.253.101.

So, a packet from host-0 to host-1 will look like this....

           host-0 side of      snoopy      host-1 side of

 Source: 192.168.253.1                   192.168.253.101
   Dest: 192.168.253.102                 192.168.253.2

To me, this looks terribly convoluted and rather messy, not to mention
that I have never tried it!  Nonetheless, I think this should work,
provided that the nat IPs you choose are not in use anywhere else in your
192.168.253.0/24 network.

 : this alone is not sufficient, so I''ve tried adding routes for
 : 192.168.1.1
 : ip route add 192.168.1.1 dev eth0
 : and so forth.  I haven''t yet been successful and would apprciate any
 : help.

Now, if I might make another recommendation....

Take a look at bridging [3].  This project has been maturing very nicely,
and there have been very happy rumbles from people using the linux
bridging code.  With the help of IP mode [4], you may get the control you
desire.  Also look at the bridge + firewall documentation [5] and make
sure to fetch the br+nf patches if you are using a 2.4 kernel [6].

Good luck,

-Martin

  [1]  http://152.45.4.41/~divert/index.shtml
  [2]  http://vtun.sourceforge.net/tun/
  [3]  http://bridge.sourceforge.net/
  [4]  http://www.ssi.bg/~ja/bridging.txt
  [5]  http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
  [6]  http://sourceforge.net/projects/ebtables/


-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Jim Redman

2003-Jul-30 13:19 UTC

head link

Re: snooping - plan B

Martin,

On 2003.07.30 00:49, Martin A. Brown wrote:> 
>   host-0                  +--------+               host-1
> 192.168.253.1 <--> eth0 <-- snoopy --> eth1 <-->
192.168.253.2
>                           +--------+
> 
> Assuming that you want host-0 to reach host-1, but only through
> snoopy,
At the routing level I don''t want host-0 to reach host-1 at all.  I do 
want to be able to open a socket on an interface and listen to host-0 
and I do want to be able to write through a socket to host-1, but don''t
want any traffic directly between the two.

One interface is trivial, say eth1, set the ip to anything, hide the 
ARP, route packets to 192.168.253.2.

So now only eth0 is a problem.  You can''t set the IP to 192.168.253.2, 
if you do, you can''t route to host-1.  So now eth0 has to respond as 
192.168.253.2 and nat packets to an internal address where they can be 
picked up (socket listen).  In essence a "ping" to 192.168.253.2 from 
host-0 should be returned by snoopy.

As an added bonus, I''d like to not need to know host-0''s IP,
so
_anything_ addressed to host-1 should end up at my internal interface.

I''d find it an interesting problem if it wasn''t so simple and
yet such
a pain in the ...

Jim
> and you don''t want to alter any network addressing on either
host-0 or
> host-1:
> 
> # ip route add 192.168.253.1 dev eth0
> # ip route add 192.168.253.2 dev eth1
> # ip route add nat 192.168.253.102 via 192.168.253.2 iif eth0
> # ip rule add nat 192.168.253.102 from 192.168.253.2 iif eth1
> # ip route add nat 192.168.253.101 via 192.168.253.1 iif eth1
> # ip rule add nat 192.168.253.101 from 192.168.253.1 iif eth0
> 
> The nat route entry in the local routing table will take care of the
> ARP
> advertising for you, so any packets from host-0 addressed to
> 192.168.253.102 should end up on 192.168.253.2, but with a source
> address
> of 192.168.253.101.
> 
> So, a packet from host-0 to host-1 will look like this....
> 
>            host-0 side of      snoopy      host-1 side of
> 
>  Source: 192.168.253.1                   192.168.253.101
>    Dest: 192.168.253.102                 192.168.253.2
> 
> To me, this looks terribly convoluted and rather messy, not to mention
> that I have never tried it!  Nonetheless, I think this should work,
> provided that the nat IPs you choose are not in use anywhere else in
> your
> 192.168.253.0/24 network.
> 
>  : this alone is not sufficient, so I''ve tried adding routes for
>  : 192.168.1.1
>  : ip route add 192.168.1.1 dev eth0
>  : and so forth.  I haven''t yet been successful and would
apprciate
> any
>  : help.
> 
> Now, if I might make another recommendation....
> 
> Take a look at bridging [3].  This project has been maturing very
> nicely,
> and there have been very happy rumbles from people using the linux
> bridging code.  With the help of IP mode [4], you may get the control
> you
> desire.  Also look at the bridge + firewall documentation [5] and make
> sure to fetch the br+nf patches if you are using a 2.4 kernel [6].
> 
> Good luck,
> 
> -Martin
> 
>   [1]  http://152.45.4.41/~divert/index.shtml
>   [2]  http://vtun.sourceforge.net/tun/
>   [3]  http://bridge.sourceforge.net/
>   [4]  http://www.ssi.bg/~ja/bridging.txt
>   [5]  http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
>   [6]  http://sourceforge.net/projects/ebtables/
> 
> 
> --
> Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
> 
-- 

Jim Redman
(505) 662 5156 x85
http://www.ergotech.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Jim Redman

2003-Jul-30 16:01 UTC

head link

Re: ARP Help (was - snooping - plan B)

Thanks for the help from the list so far.  It''s now reduced to an ARP 
problem.

host0
192.168.253.1----snoopy(eth0 192.168.253.254)

Now ping 192.168.253.2 and get snoopy to respond.  This can be done 
with netfilter (but not, apparently with ip).

iptables -A PREROUTING -t nat -p icmp -d 192.168.253.2 -j DNAT --to 
192.168.253.254
/sbin/arp -i eth0 -Ds 192.168.253.2 eth0 pub

gets you a "host unreachable" from 192.168.253.1

BUT if on host0 you:

/sbin/arp -s 192.168.253.2  HWADDR

then ping goes through.

Help from ARP experts (or others!) much appreciated.

Jim

On 2003.07.30 00:49, Martin A. Brown wrote:> Jim,
> 
> First, let me say that I may not have caught all of your plan...but
> here
> goes....
> 
> If you really wish to modify application layer data, shouldn''t you
be
> looking at divert sockets [1], tun/tap usage [2], or optimally
> home-grown
> code?
> 
>  : OK, assuming this to be impossible.  Let''s try the ARP
approach.  I
>  : want to set up eth0 with ip 192.168.3.1 nat all packet addressed to
>  : 192.168.1.1 to 192.168.3.1 and ARP the address of 192.168.1.1 into
>  : eth0.  I still have some problems, any suggestions appreciated.
>  : Here''s what I''ve tried (along with many variations):
> 
> Hmmmmm....  I haven''t ever tried to do exactly what you seem to
> suggest
> here, but this may be an interesting approach.  If you are going to
> use
> NAT to solve your problem, you can try NATting each host into the
> other.
> 
>  : arp -i eth0 -Ds 192.168.1.1 eth0 pub
>  : ip route add nat 192.168.1.1 via 192.168.3.1
>  : ip rule add from 192.168.3.1 nat 192.168.1.1
> 
>  [ Note: I''m using the IP ranges you suggested in a prior mail. ]
> 
>   host-0                  +--------+               host-1
> 192.168.253.1 <--> eth0 <-- snoopy --> eth1 <-->
192.168.253.2
>                           +--------+
> 
> Assuming that you want host-0 to reach host-1, but only through
> snoopy,
> and you don''t want to alter any network addressing on either
host-0 or
> host-1:
> 
> # ip route add 192.168.253.1 dev eth0
> # ip route add 192.168.253.2 dev eth1
> # ip route add nat 192.168.253.102 via 192.168.253.2 iif eth0
> # ip rule add nat 192.168.253.102 from 192.168.253.2 iif eth1
> # ip route add nat 192.168.253.101 via 192.168.253.1 iif eth1
> # ip rule add nat 192.168.253.101 from 192.168.253.1 iif eth0
> 
> The nat route entry in the local routing table will take care of the
> ARP
> advertising for you, so any packets from host-0 addressed to
> 192.168.253.102 should end up on 192.168.253.2, but with a source
> address
> of 192.168.253.101.
> 
> So, a packet from host-0 to host-1 will look like this....
> 
>            host-0 side of      snoopy      host-1 side of
> 
>  Source: 192.168.253.1                   192.168.253.101
>    Dest: 192.168.253.102                 192.168.253.2
> 
> To me, this looks terribly convoluted and rather messy, not to mention
> that I have never tried it!  Nonetheless, I think this should work,
> provided that the nat IPs you choose are not in use anywhere else in
> your
> 192.168.253.0/24 network.
> 
>  : this alone is not sufficient, so I''ve tried adding routes for
>  : 192.168.1.1
>  : ip route add 192.168.1.1 dev eth0
>  : and so forth.  I haven''t yet been successful and would
apprciate
> any
>  : help.
> 
> Now, if I might make another recommendation....
> 
> Take a look at bridging [3].  This project has been maturing very
> nicely,
> and there have been very happy rumbles from people using the linux
> bridging code.  With the help of IP mode [4], you may get the control
> you
> desire.  Also look at the bridge + firewall documentation [5] and make
> sure to fetch the br+nf patches if you are using a 2.4 kernel [6].
> 
> Good luck,
> 
> -Martin
> 
>   [1]  http://152.45.4.41/~divert/index.shtml
>   [2]  http://vtun.sourceforge.net/tun/
>   [3]  http://bridge.sourceforge.net/
>   [4]  http://www.ssi.bg/~ja/bridging.txt
>   [5]  http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
>   [6]  http://sourceforge.net/projects/ebtables/
> 
> 
> --
> Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
> 
-- 

Jim Redman
(505) 662 5156 x85
http://www.ergotech.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Martin A. Brown

2003-Jul-31 02:37 UTC

head link

Re: ARP Help (was - snooping - plan B)

Jim,

I must be uncommonly dense, because I still haven''t a clue what you are
trying to do.  I''ll take one last stab at it, though.

 : host0
 : 192.168.253.1----snoopy(eth0 192.168.253.254)
 :
 : Now ping 192.168.253.2 and get snoopy to respond.  This can be done
 : with netfilter (but not, apparently with ip).

Accurate, as far as I know.

 : iptables -A PREROUTING -t nat -p icmp -d 192.168.253.2 -j DNAT --to
192.168.253.254

Sure.

 : /sbin/arp -i eth0 -Ds 192.168.253.2 eth0 pub
 : gets you a "host unreachable" from 192.168.253.1

Have you tried this?

  arp -s 192.168.253.2 -i eth0 -D eth0 pub

Sadly, /sbin/arp (at least on my test boxen) seems to be persnickety about
the order of arguments and options.

 : BUT if on host0 you:
 : /sbin/arp -s 192.168.253.2  HWADDR
 :
 : then ping goes through.
 : Help from ARP experts (or others!) much appreciated.

If you really wish to get your hands dirty with ARP, you can always have
ultimate control with "ip arp", a kernel + iproute2 patch.

  http://www.ssi.bg/~ja/#iparp

Bonne chance,

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Reasonably Related Threads

Search for more apparently analagous threads

LARTC - Jul 2003 - snooping - the crux of the problem

snooping - the crux of the problem

Re: snooping - the crux of the problem

snooping - plan B

Re: snooping - plan B

Re: snooping - plan B

Re: ARP Help (was - snooping - plan B)

Re: ARP Help (was - snooping - plan B)

Reasonably Related Threads