Hello people, I have a router machine, kernel 2.4.20 with 4 physical interfaces (but many more virtual ones over differel VLANs). we need to NAT/route between hosts on different VLANs, but with the same address, for instance, 10.0.0.2 reachable via eth0.2 needs to talk to 10.0.0.2 which is on eth0.3. clearly if they were of different subnets this poses no problem, but I want to create an iproute2-based setup where they each know each other by a different address, as set on the router, for instance one could access the other at 10.1.1.2 and the other will access the first one at 10.1.2.2. in other words: Host A[]--------[Router]------[]Host B A and B''s address is the same, each knows the other at addresses A'' and B'' as NATed by the router. This solution should be possible with iproute2 logicly, but I have exhausted Google and this list''s archives trying to find a documentation for this. just addring rule and route to each as the FAQs simply list (for static NAT) does not give expected results. I''ll forward here any outputs you may be interested in, let me know how I can help you help me. our final goal is to be able to do a proof f concept of this with N physical interfaces and M VLANs on each, and see what the limits and overheads do. thanks in advance, Ira -- On orange alert Ira Abramov http://ira.abramov.org/email/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Quoting Ira Abramov, from the post of Wed, 19 Nov:> I have a router machine, kernel 2.4.20 with 4 physical interfaces (but > many more virtual ones over differel VLANs). we need to NAT/route > between hosts on different VLANs, but with the same address, for > instance, 10.0.0.2 reachable via eth0.2 needs to talk to 10.0.0.2 which > is on eth0.3.I''ll simplify it further. What I need is a mechanism that translates the source BEFORE routing and then the destination AFTER routing. is that possible with iproute2 or do I need to resort to netfilter? -- All rights reserved Ira Abramov http://ira.abramov.org/email/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Quoting David Ruggles, from the post of Wed, 19 Nov:> (Someone with more knowledge tell me if I''m wrong)well, I''m no veteran either, but the man page said one can only do DNAT in OUTPUT and PREROUTING while SNAT works only on POSTROUTING which is the other way around from what I need...> As far as I know the only way to modify packet addresses is to use the > PREROUTING and POSTROUTING chains in the nat table. > > An example might be > > Machine A ip 10.0.0.2 ----> Gateway ip 10.0.0.1 eth0 <-> Gateway ip 10.0.0.3 > eth1 ----> Machine B ip 10.0.0.2 > > On Gateway issue following: > > iptables -t nat -A PREROUTING -i eth0 -d 10.0.0.1 -j DNAT --to-destination > 10.0.0.2 > iptables -t nat -A POSTROUTING -o eth1 -d 10.0.0.2 -j SNAT --to-source > 10.0.0.1 > > I''m not sure this will work though because how will the gateway know to send > 10.0.0.2 out eth1 and not back out eth0?my problem precisely... -- A little something for the ladies Ira Abramov http://ira.abramov.org/email/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hey there, I wish people threw in more ideas... what I tried now is this: my problem is that I need to route the packet on the way out according to the original destination, but the only place it will NAT the destination is before routing, so what I did waqs mark packets with the netfilter MARK target and then have iproute2''s code select the routing table based on the fwmark. it''s covoluted but should work in theory: 1) MARK the incoming packet in table mangle on chain PREROUTING and OUTPUT 2) add a rule to the RPDB to map the NATsource based on the source and iface it came by, and then it goes to table main be default (problem! it should be a map based on the destination!) 3) open a new table (same ID as the MARK for conveniance) and add NAT to destination back to its real address (thus losing the original target, all I have left is the MARK to route with) 4) packet goes back to traverse the RPDB, where I catch it with another, lower priority rule than (2) based on the fwmark, sending it to the table I opened in (3) where I have a route to the right interface for the real address. now this would work in theory if I could do (2) as NAT and then traverse the RPDB again without sending it to a specific lookup table, is this making sense? or can I send it to the local table and it will traverse the rest of the RPDB when it gives up? am I missing another way of doing this without a routing table per interface? Any and all help is appreciated in advance, Thanks, Ira. -- The little prince Ira Abramov http://ira.abramov.org/email/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/