Re: Q: Routing the Same IP simultaneously on different computers ?

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



There's only one reason I could possibly see someone wanting to do this. That is to fool server software on the DMZ into using the public IP address. For example, say the server was sending out the local IP address to the clients to initate further connections. If the server software is not firewall friendly it may not check for the external IP and rather would send the internal IP. Other than that, I can't see any reason to do this.

Anyway, here's the dilema. You cannot change the destination IP address of a packet prior to routing. If that IP address you're sending to is the same IP address that is assigned to one of the interfaces on the router then your packet will not be sent out the LAN interface. This is because when traversing the route tables, the first table, local, will match the packet. 

This problem seems rather complex at first. Assuming you don't change the local table at all you can accomplish what you want to do by adding in a second linux router. Basically you would run NAT and DMZ just like a normal network with private IPs. The DMZ would be assigned a space holder ip address, like 192.168.0.10. The second linux router would forward all traffic, except traffic that matched 192.168.0.10, for this traffic it would translate the IP address to the public IP address. This functionality can be condensed into one machine by adding two interfaces to the machine and building a bridge between the intefaces. By looping the LAN interface through this bride, you can then perform the DNAT as the traffic passes through the bridge. This requires the br-nf patch for 2.4 kernels (not required for 2.6). 

There is however a simpler solution. It didn't occur to me at first because I've never done it, and never had a need to. Anyway, you need to make two extra routing tables in /etc/iproute2/rt_tables. Call them local2 and dmz. You need to delete the public ip route from the local table and move it to the local2 table. Then you need to add a rule to the other table that looks like this:
ip route add 2.2.2.2 dev eth1 table dmz
2.2.2.2 is your public ip, and eth1 is your lan interface. Change them for your setup.
Now you need to add the rules to lookup these tables in the correct order. 
ip rule add from all lookup local2
ip rule add fwmark 1 lookup dmz

This will send any traffic with the public IP out over your lan interface _IF_ it is marked with the value 1. Otherwise it will operate just like normal. Now you should setup your NAT settings for the network. Set it up without anything speical for the DMZ. Do it as if there was no DMZ and you were just performing SNAT for the entire private network. 

Then, add the rule to mark traffic you want to go to the dmz. 

iptables -t mangle -A PREROUTING -d 2.2.2.2 -j MARK --set-mark 1

Pretty simple eh? I've never tested it, but in theory it should work. 

Hope that helps,
- Matt


----- Original Message -----
From: John Wigley <johnwigley@xxxxxxxxxxxx>
Date: Tuesday, June 21, 2005 10:41 am
Subject:  Q: Routing the Same IP simultaneously on different	computers ?

> Hi,
> 
> I've asked this elsewhere and received hints but no one seems to 
> have a 
> concrete explanation :-
> 
> What I am looking to do is to be able to configure a Linux based 
> router to
> be able to share THE SAME SINGLE Public IP address between the 
> linux router 
> and a
> single computer on the lan acting as the DMZ host (NOT normal NAT 
> IP sharing 
> !).
> 
> So basically you have a linux router with two network ports, WAN 
> and LAN.
> The router takes the single ISP assigned public IP address for 
> it's WAN
> interface and then uses a non routable subnet for the LAN port. 
> There are a
> number of machines on the LAN segment and the linux router is 
> performing NAT
> for them so that they have internet connectivity - so far this is 
> a standard
> normal setup.
> 
> Now what I want to do is to simultaneously assign that SAME PUBLIC IP
> address onto one of the LAN computers so that it for all intents and
> purposes is a DMZ host.
> 
> Before anyone says that this is mad and that it can't be done, it 
> can be
> done perfectly well and all WESTELL ADSL / Ethernet routers have this
> functionality along with some no name Far Eastern origin broadband 
> routersbased on a Conexant OEM reference design.
> 
> Having thought long and hard about how to do this but not knowing  
> NetFilterat all, I realised that the way this must be done is for 
> the router to
> perform a standard NAT function with the added functions of 
> tracking all
> outgoing connections from the DMZ host and entering those into the 
> NAT table
> as well, so that it doesn't try to do a Port Address Translation 
> on top of
> an existing outgoing connection from the DMZ host. For incoming 
> connections,if the incoming packet has a reference in the NAT 
> table then it is directed
> to the originating LAN machine and if not is passed through 
> unmodified to
> the DMZ host.
> 
> I have spent much time googling and reading list postings but 
> cannot find
> any reference on how to do this under linux, my guess is that 
> Proxy ARP
> needs to be enabled on the LAN interface and then a 1:1 POST NAT 
> mapping set
> to remap all the packets for the DMZ host back to the original 
> public IP
> address but after that I'm stuck.
> 
> This is an incredibly useful feature which I've used on the 
> Westell routers
> for some time, but now want to move to a Linux based router to be 
> able to do
> QOS, as it allows all the benefits of NAT for sharing a single IP 
> addressbut also the benefits of a routed connection for NAT 
> unaware applications
> like IPSEC AH, and some VOIP implementations.
> 
> Any advice on setting this up would be much appreciated,
> 
> Thanks,
> 
> John Wigley
> 
> 
> _______________________________________________
> LARTC mailing list
> LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux