* VLANs and DNAT
@ 2003-07-24 23:40 Damien Mason
2003-07-25 10:17 ` Chris Wilson
0 siblings, 1 reply; 6+ messages in thread
From: Damien Mason @ 2003-07-24 23:40 UTC (permalink / raw)
To: netfilter
Hi Everyone,
I have two interfaces, eth1 and eth2
I have multiple vlans on a eth1, that is, eth1.1 and eth1.2, eth1.3
Eth2 is the external interface to the internet.
Vlan1 uses the following network address: 192.168.50.0/24
Vlan2 uses the following network address: 192.168.50.0/24 also
Vlan3 uses the following network address: 192.168.10.0/24
I have NAT working for the vlans, that is, clients are able to access
the external internet using nat.
However, there are servers on Vlan2 which I would like to forward
traffic to from the external interface, I would imagine that I could do
something like:
iptables -A PREROUTING -t nat -p tcp -d 203.221.181.27 --dport 80 -j
DNAT --to 192.168.50.10:80
But I cannot specify an interface -i eth1.2 in the prerouting, because
it occurs pre-routing?
How can I forward traffic to a host on a vlan when the vlans don't
use unique addressing schemes?.. I was thinking I may have to -j
REDIRECT the traffic to another chain, and forward it from there?
Any Ideas or solutions would be most appreciated :)
Thanks in advance,
Damien Mason
--
Best Regards,
Damien Mason
SuSE Systems Specialist
SuSE Linux Asia-Pacific
2-6 Waltham Street
Artarmon, NSW 2064, Australia
Telephone: (612) 943 943 94 ext 246
Facsimile: (612) 9437 3839
Email: kinetic@suse.net.au
<mailto:kinetic@suse.net.au?subject=Reply%20Email>
Web: http://www.suse.net.au./
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: VLANs and DNAT
2003-07-24 23:40 VLANs and DNAT Damien Mason
@ 2003-07-25 10:17 ` Chris Wilson
2003-07-25 13:40 ` Ramin Dousti
0 siblings, 1 reply; 6+ messages in thread
From: Chris Wilson @ 2003-07-25 10:17 UTC (permalink / raw)
To: Damien Mason; +Cc: netfilter
Hi Damien,
> I have two interfaces, eth1 and eth2
>
> I have multiple vlans on a eth1, that is, eth1.1 and eth1.2, eth1.3
[...]
> However, there are servers on Vlan2 which I would like to forward
> traffic to from the external interface, I would imagine that I could do
> something like:
>
> iptables -A PREROUTING -t nat -p tcp -d 203.221.181.27 --dport 80 -j
> DNAT --to 192.168.50.10:80
>
> But I cannot specify an interface -i eth1.2 in the prerouting, because
> it occurs pre-routing?
I don't see why you can't do this. We do it and it works. You might get a
warning about "strange characters in interface name" if you have an old
iptables version, but it should still work.
> How can I forward traffic to a host on a vlan when the vlans don't
> use unique addressing schemes?.. I was thinking I may have to -j
> REDIRECT the traffic to another chain, and forward it from there?
I don't think the REDIRECT target would help you here.
Cheers, Chris.
--
___ __ _
/ __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: VLANs and DNAT
2003-07-25 10:17 ` Chris Wilson
@ 2003-07-25 13:40 ` Ramin Dousti
2003-07-25 13:54 ` Chris Wilson
0 siblings, 1 reply; 6+ messages in thread
From: Ramin Dousti @ 2003-07-25 13:40 UTC (permalink / raw)
To: Chris Wilson; +Cc: Damien Mason, netfilter
On Fri, Jul 25, 2003 at 11:17:57AM +0100, Chris Wilson wrote:
> > But I cannot specify an interface -i eth1.2 in the prerouting, because
> > it occurs pre-routing?
>
> I don't see why you can't do this. We do it and it works. You might get a
> warning about "strange characters in interface name" if you have an old
> iptables version, but it should still work.
This is a typo. What he meant was "-o"...
> > How can I forward traffic to a host on a vlan when the vlans don't
> > use unique addressing schemes?.. I was thinking I may have to -j
> > REDIRECT the traffic to another chain, and forward it from there?
>
> I don't think the REDIRECT target would help you here.
Absolutely. REDIRECT has nothing to do with "REDIRECT the traffic to
another chain".
Ramin
>
> Cheers, Chris.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: VLANs and DNAT
2003-07-25 13:40 ` Ramin Dousti
@ 2003-07-25 13:54 ` Chris Wilson
2003-07-26 16:07 ` Damien Mason
0 siblings, 1 reply; 6+ messages in thread
From: Chris Wilson @ 2003-07-25 13:54 UTC (permalink / raw)
To: Ramin Dousti; +Cc: Damien Mason, netfilter
Hi Ramin,
> > > But I cannot specify an interface -i eth1.2 in the prerouting, because
> > > it occurs pre-routing?
>
> This is a typo. What he meant was "-o"...
OK, I see now.
Damien, how about you forget about having identical routes on the two
separate VLANs, which is likely to give you trouble anyway, and have
static host routes to the individual servers on each VLAN. Then you will
know from the new destination address (e.g. 192.168.50.10 in your example)
exactly which VLAN the packet will be routed out over, because there is
just one host route which it could take. So you don't need to match the
destination interface name at all.
Cheers, Chris.
--
___ __ _
/ __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: VLANs and DNAT
2003-07-25 13:54 ` Chris Wilson
@ 2003-07-26 16:07 ` Damien Mason
0 siblings, 0 replies; 6+ messages in thread
From: Damien Mason @ 2003-07-26 16:07 UTC (permalink / raw)
To: netfilter
Hi Chris, Ramin,
Thanks, I've been reading up heaps over the last day, I had an inkling that
that's probably what i'd have to do (marking the packets), should be fun!
Yes, I meant -o output interface (there is no output interface on
prerouting, of course).
Chris,
The reason we have multiple non-unique addressing schemes on the vlans is
because they're from multiple client sites. It's just not practical to go in
and change the entire addressing scheme for 200 client sites for us, each of
which would consist of more than 50 hosts that all rely on eachother, some
with no dns, it would be a nightmare to administer, at least in the limited
time period I have available.
Basically, vlan connections to all our client sites will be handed to us
via a 802.1q trunk, each of those sites has a router with an external ip of
something like 10.1.1.1, so the network route would look like the routing
table below:
See Diagram if you feel so inclined :) - thanks.
http://www.suse.net.au/secretpics/network_schematic.gif
-----------------------------------------------
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
# client 1
192.168.10.0 10.1.1.1 255.255.255.224 U 0 0 0 eth1.1
192.168.10.32 10.1.1.2 255.255.255.224 U 0 0 0 eth1.2
192.168.10.64 10.1.1.3 255.255.255.224 U 0 0 0 eth1.3
192.168.10.96 10.1.1.4 255.255.255.224 U 0 0 0 eth1.4
# client 2
192.168.10.0 10.1.1.5 255.255.255.128 U 0 0 0 eth1.5
192.168.10.128 10.1.1.6 255.255.255.128 U 0 0 0 eth1.6
# client 3
192.168.10.0 10.1.1.7 255.255.255.128 U 0 0 0 eth1.7
192.168.10.128 10.1.1.8 255.255.255.128 U 0 0 0 eth1.8
# default gateway
0.0.0.0 $defaultgw 0.0.0.0 UG 0 0 0 eth2
...
dmz routing, simliar to vlan routing above, with unique ips
...
-----------------------------------------------
So Chris - I can't make a route to a host, because multiple hosts exist
using the same ips, on different client LANs. (thankfully each client (not
site) will use different network address ranges).
Like Ramin suggests, the only way I can see to do this, since the routing
table is shared by all interfaces, is to force the packet out a certain
interface only in postrouting, by marking the packet, dnat the packet, then
forcing the packet -o eth1.x based on the mark.
The only other way I could see to do this, would be to have seperate routing
tables set up for each client on the same firewall - (each client can have
multiple vlans) - and a virtual gateway to route between them. ... But I
don't think this is possible... at least I've never seen it done.
Ramin how would the packet know how to get to it's destination? - even if a
postrouting rule is applied - as I understand it, a packet will transverse
down the routing table until it finds a matching route, and then route
itself using that entry in the table.
Basically I want to enable an external client from anywhere on the internet,
to be able to access that server 192.168.10.5 on Client 2. (see diagram).
Ramin say the packet transverses the routing table until it finds a matching
route to 192.168.10.5 (which it'll find at position 1:
192.168.10.0 10.1.1.1 255.255.255.224 U 0 0 0 eth1.1
That's fine, but the postrouting rule will tell it to go out interface
eth1.5. What's going to happen then? - will the packet just get dropped?
will it really get forced out eth1.5 like it's supposed to, and does it even
remember the routing table says it's going to go out eth1.1 postrouting
anyway?
Thanks in advance everyone,
Damien Mason
SuSE Asia-Pacific
kinetic@suse.net.au
http://www.suse.net.au./
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Chris Wilson
Sent: Friday, 25 July 2003 11:54 PM
To: Ramin Dousti
Cc: Damien Mason; netfilter@lists.netfilter.org
Subject: Re: VLANs and DNAT
Hi Ramin,
> > > But I cannot specify an interface -i eth1.2 in the prerouting, because
> > > it occurs pre-routing?
>
> This is a typo. What he meant was "-o"...
OK, I see now.
Damien, how about you forget about having identical routes on the two
separate VLANs, which is likely to give you trouble anyway, and have
static host routes to the individual servers on each VLAN. Then you will
know from the new destination address (e.g. 192.168.50.10 in your example)
exactly which VLAN the packet will be routed out over, because there is
just one host route which it could take. So you don't need to match the
destination interface name at all.
Cheers, Chris.
--
___ __ _
/ __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
^ permalink raw reply [flat|nested] 6+ messages in thread
* VLANs and DNAT
@ 2003-07-24 6:53 Damien Mason
0 siblings, 0 replies; 6+ messages in thread
From: Damien Mason @ 2003-07-24 6:53 UTC (permalink / raw)
To: netfilter
Hi Everyone,
I have two interfaces, eth1 and eth2
I have multiple vlans on a eth1, that is, eth1.1 and eth1.2,
eth1.3
Eth2 is the external interface to the internet.
Vlan1 uses the following network address: 192.168.50.0/24
Vlan2 uses the following network address: 192.168.50.0/24
also
Vlan3 uses the following network address: 192.168.10.0/24
I have NAT working for the vlans, that is, clients are able to access
the external internet using nat.
However, there are servers on Vlan2 which I would like to
forward traffic to from the external interface, I would imagine that I
could do something like:
iptables -A PREROUTING -t nat -p tcp -d 203.221.181.27 --dport 80 -j
DNAT --to 192.168.50.10:80
But I cannot specify an interface -i eth1.2 in the prerouting, because
it occurs pre-routing?
How can I forward traffic to a host on a vlan when the vlans
don't use unique addressing schemes?.. I was thinking I may have to -j
REDIRECT the traffic to another chain, and forward it from there?
Any Ideas or solutions would be most appreciated :)
Regards,
Damien Mason
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2003-07-26 16:07 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-24 23:40 VLANs and DNAT Damien Mason
2003-07-25 10:17 ` Chris Wilson
2003-07-25 13:40 ` Ramin Dousti
2003-07-25 13:54 ` Chris Wilson
2003-07-26 16:07 ` Damien Mason
-- strict thread matches above, loose matches on Subject: below --
2003-07-24 6:53 Damien Mason
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.