Jim,
First, let me say that I may not have caught all of your plan...but here
goes....
If you really wish to modify application layer data, shouldn't you be
looking at divert sockets [1], tun/tap usage [2], or optimally home-grown
code?
: OK, assuming this to be impossible. Let's try the ARP approach. I
: want to set up eth0 with ip 192.168.3.1 nat all packet addressed to
: 192.168.1.1 to 192.168.3.1 and ARP the address of 192.168.1.1 into
: eth0. I still have some problems, any suggestions appreciated.
: Here's what I've tried (along with many variations):
Hmmmmm.... I haven't ever tried to do exactly what you seem to suggest
here, but this may be an interesting approach. If you are going to use
NAT to solve your problem, you can try NATting each host into the other.
: arp -i eth0 -Ds 192.168.1.1 eth0 pub
: ip route add nat 192.168.1.1 via 192.168.3.1
: ip rule add from 192.168.3.1 nat 192.168.1.1
[ Note: I'm using the IP ranges you suggested in a prior mail. ]
host-0 +--------+ host-1
192.168.253.1 <--> eth0 <-- snoopy --> eth1 <--> 192.168.253.2
+--------+
Assuming that you want host-0 to reach host-1, but only through snoopy,
and you don't want to alter any network addressing on either host-0 or
host-1:
# ip route add 192.168.253.1 dev eth0
# ip route add 192.168.253.2 dev eth1
# ip route add nat 192.168.253.102 via 192.168.253.2 iif eth0
# ip rule add nat 192.168.253.102 from 192.168.253.2 iif eth1
# ip route add nat 192.168.253.101 via 192.168.253.1 iif eth1
# ip rule add nat 192.168.253.101 from 192.168.253.1 iif eth0
The nat route entry in the local routing table will take care of the ARP
advertising for you, so any packets from host-0 addressed to
192.168.253.102 should end up on 192.168.253.2, but with a source address
of 192.168.253.101.
So, a packet from host-0 to host-1 will look like this....
host-0 side of snoopy host-1 side of
Source: 192.168.253.1 192.168.253.101
Dest: 192.168.253.102 192.168.253.2
To me, this looks terribly convoluted and rather messy, not to mention
that I have never tried it! Nonetheless, I think this should work,
provided that the nat IPs you choose are not in use anywhere else in your
192.168.253.0/24 network.
: this alone is not sufficient, so I've tried adding routes for
: 192.168.1.1
: ip route add 192.168.1.1 dev eth0
: and so forth. I haven't yet been successful and would apprciate any
: help.
Now, if I might make another recommendation....
Take a look at bridging [3]. This project has been maturing very nicely,
and there have been very happy rumbles from people using the linux
bridging code. With the help of IP mode [4], you may get the control you
desire. Also look at the bridge + firewall documentation [5] and make
sure to fetch the br+nf patches if you are using a 2.4 kernel [6].
Good luck,
-Martin
[1] http://152.45.4.41/~divert/index.shtml
[2] http://vtun.sourceforge.net/tun/
[3] http://bridge.sourceforge.net/
[4] http://www.ssi.bg/~ja/bridging.txt
[5] http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
[6] http://sourceforge.net/projects/ebtables/
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx
