[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Routing problem



On Sat, Aug 31, 2002 at 09:29:36PM -0500, Nate Reindl wrote:
> I see that everyone and their damned uncle is hellbent on doing NAT
> between an outside world IP and a handful of private addresses on a
> LAN, but what I'm wanting to do is make use of the rest of my subnet.
> Currently, I'm using only one address while I have five virgin ones
> waiting for action that I'm obviously not using at the present moment.

OK, let's examine this.  Say the address of eth0 on your firewall is
42.8.31.2, with a netmask of 255.255.255.248, and the gateway is
42.8.31.1.

Time for some bad ASCII art:

                            ^ gateway 42.8.31.1
                            |   _
                            |  |  Cable
                            |<-|
                            |  |_ 42.8.31.0/29
                            |
                            |
                       eth0 |<- 42.8.31.2
                       +-----------+
                       | firewall  |
                       +-----------+

Now, given that you can't *really* route any of the addresses
42.8.31.3 through 42.8.31.6, by far the simplest way to make them
usable is to set up aliased interfaces on eth0 with each of the
addresses, then NAT them somewhere useful.

For example, let's say you have a DMZ with a mail server at
172.16.0.1, and your internal network is 192.168.0.0/24...

     ^ gateway 42.8.31.1
     |   _
     |  |  Cable
     |<-|
     |  |_ 42.8.31.0/29
     |
     |
eth0 |<- 42.8.31.2, 42.8.31.3
+-----------+<- 172.16.0.1                          +-------------+
| firewall  |---------------------------------------| mail server |
+-----------+ eth2         ^  _                    ^+-------------+
eth1 |<- 192.168.0.1       | |  DMZ                |
     |                     \_|                     +- 172.16.0.2
     |                       |_ 172.16.0.0/24
 Internal
  network

So the firewall rules in the nat table might look something like this:

    iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT \
        --to 42.8.31.2
    iptables -t nat -A PREROUTING -i eth0 -d 42.8.31.3 -j DNAT \
	--to 172.16.0.2

Now the not-so-easy way to do this is to kind-of route to the
individual addresses.  Unfortunately, doing this is *way* more trouble
than it is worth usually.  The only reason you'd want to do this is if
you had an application that just really didn't want to work through
NAT.

First what you have to do is give all the world-visible boxes real
addresses.  Set the netmask to 255.255.255.255 to make a
point-to-point connection.  That way you don't waste addresses on
internal routing.

     ^ gateway 42.8.31.1
     |   _
     |  |  Cable
     |<-|
     |  |_ 42.8.31.0/29
     |
     |
eth0 |<- 42.8.31.2
+-----------+<- 42.8.31.2/255.255.255.255           +-------------+
| firewall  |---------------------------------------| mail server |
+-----------+ eth2         ^                       ^+-------------+
eth1 |<- 192.168.0.1       |                       |
     |                     +- DMZ                  +- 42.8.31.3/255.255.255.255
     |
 Internal
  network

One warning...  If the mail server is Red Hat, don't expect the
routing to work perfectly.  The Red Hat network init scripts don't
quite seem to handle point-to-point on ethernet quite right.  You can
easily fix it by creating a script /sbin/ifup-local that contains
this:

    #!/bin/sh

    # We're assuming $GATEWAYDEV is eth0.
    [ "$1" = "eth0" ] || exit 0

    [ -f /etc/sysconfig/network ] && . /etc/sysconfig/network
    [ -f /etc/sysconfig/network-scripts/ifcfg-eth0 ] \
        && . /etc/sysconfig/network-scripts/ifcfg-eth0

    if [ -n "$GATEWAY" ]; then
        route del default
        route add default gw $GATEWAY dev eth0
    fi

In order to get the remote gateway to know to send packets going to
your mail server to your firewall, the firewall has to proxy ARP for
the address of the mail server.  /sbin/ifup-local on the firewall
would need to look something like this:

    #!/bin/sh

    if [ "$1" = eth2 ]; then
	arp -Ds 42.8.31.3 eth0 pub
    fi

Or, if you want to set up proxy ARP for all of the remaining addresses
in your block...

    #!/bin/sh

    if [ "$1" = eth2 ]; then
	n=3
	while [ $n -lt 7 ]; do
	    arp -Ds 42.8.31.$n eth0 pub
	    (( n++ ))
	done
    fi

(OK, I know it would have been fewer lines to just duplicate the arp
line 3 times, but I wanted to give you all a realistic example of
doing math on shell variables.  There's your lesson in shell scripting
for today.  ;-)

Sorry for the copious amounts of hand-waving, but this mail is long
enough as it is.  If I need to explain something better, let me know.

Steve
-- 
steve@silug.org           | Southern Illinois Linux Users Group
(618)398-7360             | See web site for meeting details.
Steven Pritchard          | http://www.silug.org/

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.