I'll answer in your text. On Mon, 2004-07-19 at 11:31, Yaron Presente wrote: > Hi John, > OK, That's exactly what I'm trying to do and the idea is interesting. > However, there are 2 problems that I currently see in this solution: > a. I need to know exactly which hosts of the 1.1.1.0/24 are fake and to > explicitly > define them on eth0. I cannot add the whole range because I may get into > conflict > with real 1.1.1.0/24 hosts that are located on my eth0 interface. Yes - you do need to define each. I do not know of a way off hand to have a device respond to all addresses on a subnet in a single command. > b. because there are many secondaries on eth0 that belong to the same > subnet, > I can not guarantee that my host will always use the right one (1.1.1.5) > to talk to the outer world. I'm not sure of the details here but I have never had a problem. I believe the device will always use the first address bound to the interface which pertains to the destination address unless explicitly told to do otherwise by the policy routing features of iproute2. Can anyone confirm that assumption? > Am I right? > Yaron > > John A. Sullivan III wrote: > > >Yes, I think there is some misunderstanding there. My apologies. Let me > >be a little more specific. > > > >Let's assume that you have a gateway with a public address of 1.1.1.5 on > >the network 1.1.1.0/24 and bound to interface eth0 and that it protects > >the private network 10.1.1.0/24 with a second interface, eth1, to which > >is bound the private address 10.1.1.1. Now let's also say that I have > >internal hosts at 10.1.1.8, 10.1.1.3, 10.1.1.6 and 10.1.1.13. I wish to > >NAT these to the world at the addresses 1.1.1.8,1.1.1.3, 1.1.1.6 and > >1.1.1.13 respectively. Is that what you are trying to do? > > > >To do so, I would create a script on the NAT gateway to run the > >commands: > > > >ip address add 1.1.1.8/24 brd + dev eth0 > >ip address add 1.1.1.3/24 brd + dev eth0 > >ip address add 1.1.1.6/24 brd + dev eth0 > >ip address add 1.1.1.13/24 brd + dev eth0 > > > >eth0 will now respond to ARP requests for all those addresses as well as > >1.1.1.5. The subsequent packets will be dutifully passed to netfilter > >which will NAT them to 10.1.1.8, 10.1.1.3, 10.1.1.6 and 10.1.1.13 and > >route them on their way (assuming forwarding is enabled). > > > >I hope I have not misunderstood what you are trying to do - John > > > >On Mon, 2004-07-19 at 10:16, Yaron Presente wrote: > > > > > >>Hi John, > >>Thanks for your reply. > >>However, I'm not sure that it solves my problem (unless I > >>misunderstood you). > >>Looking at your numeric example, let's say that I want to DNAT from > >>10.1.1.0/24 to 1.1.1.0/24, > >>and that my public interface address is 10.1.1.5. > >>I need to reply to ARP for all hosts in 10.1.1.0/24, but without proxy > >>arp I will only reply to my own address 10.1.1.5. > >>I don't think that adding the private range (1.1.1.0/24) to the public > >>interface will do any good :( > >>Thanks, > >>Yaron > >> > >>John A. Sullivan III wrote: > >> > >> > >>>On Sun, 2004-07-18 at 05:52, Yaron Presente wrote: > >>> > >>> > >>> > >>>>Hi All, > >>>>I have a linux box (Montavista 2.4.18), which is connected to the > >>>>external world through an IP subnet A. > >>>>I want to DNAT this subnet A to a private subnet B, and to do this I > >>>>need to support proxy arp for hosts in class A, which don't actually exist. > >>>>My problems are all ARP related: > >>>>1. I want to reply on ARP requests for hosts on subnet A. looking at the > >>>>arp code in net/ipv4/arp.c, it seems that > >>>>this should have been the default behaviour (i.e > >>>>(rt->rt_flags&RTCF_DNAT) behaves the same as if a proxy arp was defined > >>>>on the interface). However, testing shows that the linux doesn't reply. > >>>>why ? > >>>>2. To overcome the first problem, I can enable proxy arp explicitly. > >>>>However, proxy arp does not answer to requests if the > >>>>routing lookup shows that the target is located on the incoming > >>>>interface of the request. any ideas? > >>>>3. If there are real hosts of subnet A on my external interface, I do > >>>>not want to serve as proxy arp for them. > >>>>is there a way to define these exceptions to the proxy arp? can I set a > >>>>big proxy_delay in /proc and hope that the real host would > >>>>answer before my proxy? > >>>>Any help would be appreciated. > >>>>Thanks, > >>>>Yaron > >>>> > >>>> > >>>> > >>>If I understand you correctly, it is a pretty straightforward DNAT with > >>>exactly the proxy ARP issues you describe. I typically handle this by > >>>binding the DNAT address to the public NIC using iproute2. For example, > >>>if I NAT 10.1.1.5 to 1.1.1.5, I have the appropriate DNAT rule in > >>>iptables and then do a > >>> > >>>ip address add 1.1.1.5/24 brd + dev eth0 > >>> > >>>or whatever parameters are appropriate. I'm not sure if the brd + is > >>>necessary if I already have an address for the same subnet bound to the > >>>NIC. Perhaps someone else can comment. > >>> > >>>Once ISCS is available (http://iscs.sourceforge.net), it will > >>>automatically handle the ARP configuration when you assign a public > >>>address to a private host. In fact, that code works now along with > >>>almost all the access control portion. Good luck with it - John > >>> > >>> > >>> > >>-- > >>Yaron Presente > >>MRV International > >>Direct : 972-4-9936237 > >>Fax : 972-4-9890564 > >>Email : ypresente@xxxxxxx > >>www.mrv.com > >> > >> -- Open Source Development Corporation Financially sustainable open source development http://www.opensourcedevelopmentcorp.com
