Re: Static bidirectional static NAT for duplicate IP devices using iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, Feb 15, 2025 at 1:57 AM Alon Bar-Lev <alon.barlev@xxxxxxxxx> wrote:
>
> Hello,
>
> I am sure this was addressed before, I tried to find relevant
> information but could not. I appreciate any assistance.
>
> Constraints
>
> * Two devices with the same IP, this cannot be changed.
> * Devices do not have a default router, they must communicate with
> applications on the same IP network.
> * Host applications should access the two devices using UDP and TCP
> based protocols.
>
> Network Solution
>
> * To avoid address conflict, each device resides on a different VLAN.
>
> APPLICATION -->
> Kernel -->
> * v10@eth0 - interface on VLAN=10
> * v11@eth0 - interface on VLAN=11
>
> Switch -->
> * Port1 VLAN=10
>   * DEVICE1 [10.0.0.10]
> * Port2 VLAN=11
>   * DEVICE2 [10.0.0.10]
>
> Diagram [In fixed width font]:
> ---
> ,-----------+--------.       ,----------+-+--------.
> |           |v10@eth0|.......|          |1|VLAN=10 |---DEVICE1 [10.0.0.10]
> |APPLICATION|    eth0|-------|   Switch +-+--------+
> |           |v11@eth0|.......|          |2|VLAN=11 |---DEVICE2 [10.0.0.10]
> `-----------+--------'       `----------+-+--------'
> ---
>
> I would like to have a bidirectional static NAT so that per
> application point of view:
> * DEVICE1 will be 192.168.110.10
> * DEVICE2 will be 192.168.111.10
> And per device point of view:
> * APPLICATION will be 10.0.0.11
>
> I thought of having v10@eth0 address 192.168.110.1 and v11@eth0
> address 192.168.111.0, however, I am unsure how to set up the
> bidirectional translation to the device virtual address using SNAT
> without creating duplicate addresses.
>
> Any assistance will be appreciated.
>
> Regards,
> Alon Bar-Lev

Hi,

I made some progress using nftables which is nicer and simpler than
iptables for this mission.
However, I am unable to figure out how to re-write the ARP
request/reply, there are no good examples of how to use ARP rewrite.
I need to rewrite the ARP request to be the same as the translation.

This is the configuration I reached so for v10 is the interface of
vlan 10 and v11 is the interface of vlan 11.

v10:
   Host: 10.0.0.11<=>192.168.110.11
   Device: 10.0.0.10<=>192.168.110.10
v11:
   Host: 10.0.0.11<=>192.168.111.11
   Device: 10.0.0.10<=>192.168.111.10

table ip mytable {
        chain prerouting {
                type filter hook prerouting priority -300; policy accept;
                iifname "v10" ip daddr 10.0.0.11 ip daddr set 192.168.110.11
                iifname "v11" ip daddr 10.0.0.11 ip daddr set 192.168.111.11
                iifname "v10" ip saddr 10.0.0.10 ip saddr set 192.168.110.10
                iifname "v11" ip saddr 10.0.0.10 ip saddr set 192.168.111.10
        }
        chain output {
                type filter hook output priority -300; policy accept;
                ip saddr 192.168.110.11 ip saddr set 10.0.0.11
                ip saddr 192.168.111.11 ip saddr set 10.0.0.11
                ip daddr 192.168.110.10 ip daddr set 10.0.0.10
                ip daddr 192.168.111.10 ip daddr set 10.0.0.10
        }
}

Now I just need to figure out how to manage the ARP.

Regards,
Alon
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux