On 2003.07.30 00:49, Martin A. Brown wrote:
host-0 +--------+ host-1 192.168.253.1 <--> eth0 <-- snoopy --> eth1 <--> 192.168.253.2 +--------+
Assuming that you want host-0 to reach host-1, but only through snoopy,
At the routing level I don't want host-0 to reach host-1 at all. I do want to be able to open a socket on an interface and listen to host-0 and I do want to be able to write through a socket to host-1, but don't want any traffic directly between the two.
One interface is trivial, say eth1, set the ip to anything, hide the ARP, route packets to 192.168.253.2.
So now only eth0 is a problem. You can't set the IP to 192.168.253.2, if you do, you can't route to host-1. So now eth0 has to respond as 192.168.253.2 and nat packets to an internal address where they can be picked up (socket listen). In essence a "ping" to 192.168.253.2 from host-0 should be returned by snoopy.
As an added bonus, I'd like to not need to know host-0's IP, so _anything_ addressed to host-1 should end up at my internal interface.
I'd find it an interesting problem if it wasn't so simple and yet such a pain in the ...
Jim
and you don't want to alter any network addressing on either host-0 or host-1:
# ip route add 192.168.253.1 dev eth0 # ip route add 192.168.253.2 dev eth1 # ip route add nat 192.168.253.102 via 192.168.253.2 iif eth0 # ip rule add nat 192.168.253.102 from 192.168.253.2 iif eth1 # ip route add nat 192.168.253.101 via 192.168.253.1 iif eth1 # ip rule add nat 192.168.253.101 from 192.168.253.1 iif eth0
The nat route entry in the local routing table will take care of the ARP advertising for you, so any packets from host-0 addressed to 192.168.253.102 should end up on 192.168.253.2, but with a source address of 192.168.253.101.
So, a packet from host-0 to host-1 will look like this....
host-0 side of snoopy host-1 side of
Source: 192.168.253.1 192.168.253.101 Dest: 192.168.253.102 192.168.253.2
To me, this looks terribly convoluted and rather messy, not to mention that I have never tried it! Nonetheless, I think this should work, provided that the nat IPs you choose are not in use anywhere else in your 192.168.253.0/24 network.
: this alone is not sufficient, so I've tried adding routes for : 192.168.1.1 : ip route add 192.168.1.1 dev eth0 : and so forth. I haven't yet been successful and would apprciate any : help.
Now, if I might make another recommendation....
Take a look at bridging [3]. This project has been maturing very nicely, and there have been very happy rumbles from people using the linux bridging code. With the help of IP mode [4], you may get the control you desire. Also look at the bridge + firewall documentation [5] and make sure to fetch the br+nf patches if you are using a 2.4 kernel [6].
Good luck,
-Martin
[1] http://152.45.4.41/~divert/index.shtml [2] http://vtun.sourceforge.net/tun/ [3] http://bridge.sourceforge.net/ [4] http://www.ssi.bg/~ja/bridging.txt [5] http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html [6] http://sourceforge.net/projects/ebtables/
-- Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx
--
Jim Redman (505) 662 5156 x85 http://www.ergotech.com
