?
Solved

IPTables, Mangling & VPN

Posted on 2005-03-16
17
Medium Priority
?
1,074 Views
Last Modified: 2012-06-27
Quick query, hope someone can aid me.  To give some indication of the level of competency, I have already set up a number of Linux machines with iptables, firewalling, bridging, VPN (FreeS/WAN) and various other fun bits & pieces.

My query is simply that I have found a slight problem with getting a pair of established networks to talk to each other through VPN.  The VPN itself is fine & working, the specific problem I face is that the two networks are on the same 192.168.16 subnet and there's no liklihood of changing either of the subnets.

What I can visualise is the use of the mangling tables to alter the outgoing packets such that they are of different subclasses before and after the VPN tunnel.  For example, network A might consider network B as a local IP address range of 10.10.10.0/24 and the Linux router mangles the 10.10.10.x packets to represent 192.168.16.x at some point before entering the VPN and when packets come out of the VPN, they are similarly reversed.

As a rough outline:

LAN traffic -> Linux router ethx In -> <some form of mangle> -> Linux router ipsecx Out -> etc.

etc. -> Linux router ipsecx In -> <some form of mangle> -> Linux router ethx Out -> LAN traffic.

Unfortunately I don't have access at this time to the set up, so can't follow through any suggestions but would be great if someone has documentation on this kind of set up and what is required.

... or am I just visualising an impossibility?
0
Comment
Question by:Barthax
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
  • 2
17 Comments
 
LVL 9

Accepted Solution

by:
e-tsik earned 1000 total points
ID: 13557874
Hi :-)

What you need it something called NETMAP. It's a target that comes with the iptables distro, but it requires you to recompile iptables and include the latest patch-o-matic patch and recompile the kernel afterwards.

Another 'hairier' solution would be to use NAT

Imagine this:
Site 1:
You forward 192.168.2.X to the other side.
The request from site 1 is SNATed to 192.168.1.1
The other side  DNATs 192.168.2.1 to 10.10.10.1

Site 2:
You forward 192.168.1.X to the other side.
The request from site 2 is SNATed to 192.168.2.1
The other side  DNATs 192.168.1.1 to 10.10.10.1

Multiply that 254 times and you've got yourself a network map.

For Example:
If I take you schema:
LAN traffic(a) -> Linux router ethx In -> <some form of mangle>(b) -> Linux router ipsecx Out -> etc.(c)
A packet travels from a to c this way
Point A
Source IP: 10.10.10.1
Target IP: 192.168.2.134 (which will eventually be 10.10.10.134 on site 2)

Point B:
Source IP: 192.168.1.1 (was 10.10.10.1 on site 1, converted using SNAT)
Target IP: 192.168.2.134 (which will eventually be 10.10.10.134 on site 2)

Point C:
Source IP: 192.168.1.1 (was 10.10.10.1 on site 1, converted using SNAT)
Target IP: 10.10.10.134 (converted using DNAT)

Enjoy!
0
 
LVL 19

Author Comment

by:Barthax
ID: 13558635
I had briefly thought about SNAT/DNAT as that would be far more standards-compliant in approach.  The thing I had difficulty with was in retaining the host portion of the IP address in the SNAT/DNAT rules.  I've only done a very quick experiment with it and just got 'Bad' results with the command line, i.e.:

iptables -t nat -A POSTROUTING -o eth0 -s 10.10.10.*  -j SNAT --to 192.168.2.*
"Bad argument '192.168.2.*'"

iptables -t nat -A PREROUTING -i eth0 -d 192.168.2.* -j DNAT --to 10.10.10.*
"Bad IP address '10.10.10.*'"

I always use a series of my own scripts to add & remove rules, so adding every possibility specifically is possible, but at a minimum of 512 rules it's a bit much.  I realise I could create conditional rules that jump to seperate tables to cut down on the number of rules the kernel has to process with each packet, but that's just going to increase the total number of rules and tables the kernel has to juggle - I've never had need to push the number of rules beyond around 50, so my experience on where the kernel may begin to have troubles is unknown to me.
0
 
LVL 19

Author Comment

by:Barthax
ID: 13558682
Oh, BTW: yes, you fully grasp the situation (apart from the IP address ranges being reversed, but that's a moot point). :D
0
DFW AZURE MEETUP TONIGHT FRI 6PM

We will be discussing what Azure Stack is, how does it fit into the suit of offerings that Azure has currently, and where can it fit into your organizations technology stack. We will also be discussing limitations of the platform while covering various applicable scenarios.

 
LVL 19

Author Comment

by:Barthax
ID: 13558689
> apart from the IP address ranges being reversed, but that's a moot point

Ignore me, I'm getting myself confused! :D
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13559631
which kernel do you have, 2.4 or 2.6?
If it is FreeS/WAN I assume 2.4 ...
0
 
LVL 9

Expert Comment

by:e-tsik
ID: 13560011
yes but

iptables -t nat -A POSTROUTING -s 10.10.10.1  -j SNAT --to 192.168.2.1
iptables -t nat -A POSTROUTING -s 10.10.10.2  -j SNAT --to 192.168.2.2
iptables -t nat -A POSTROUTING -s 10.10.10.3  -j SNAT --to 192.168.2.3
iptables -t nat -A POSTROUTING -s 10.10.10.4  -j SNAT --to 192.168.2.4
iptables -t nat -A POSTROUTING -s 10.10.10.5  -j SNAT --to 192.168.2.5
iptables -t nat -A POSTROUTING -s 10.10.10.6  -j SNAT --to 192.168.2.6
iptables -t nat -A POSTROUTING -s 10.10.10.7  -j SNAT --to 192.168.2.7
iptables -t nat -A POSTROUTING -s 10.10.10.8  -j SNAT --to 192.168.2.8
...
...

You Linux will survive. Trust me :-)

0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 1000 total points
ID: 13562777
e-tsik, can't follow your suggestion
if it is IPSec, then the packets are in the ipsec interface and hence can no longer be inspected with POSTROUTING (some exception with dirty hacks in transport mode still possible)
That's one reason why I asked for kernel version.
Or are you talkining about any Linux except the VPN-gateway(s) itself?
0
 
LVL 19

Author Comment

by:Barthax
ID: 13564469
At the moment the implementation is a 2.4 kernel - I have no qualms about attempting an update to a 2.6 (though never have yet tried a 2.6 with FreeS/WAN) or replacing the box with a 2.6 kernel box... It's just the two existing networks cannot be changed (some third-party's propreitary code is hard-coded for 192.168.16.x!!! - that's the network addresses, as I poorly described above, not the 10.x :) ).
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13565224
BTW, I gave up with 2.6 and FreeS/WAN, mainly 'cause iptables in 2.6 is too stupid, behaves very strange with ipsec interface :-((

I assume that you have on VPN-gateway for each subnet, and not FreeS/WAN on each host in the subnet. Right?
0
 
LVL 19

Author Comment

by:Barthax
ID: 13565437
Yes - exactly correct, centralised VPN at the gateway, both ends - both ends are very trusting of each other. :)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13566337
so why do you not simply make a second, third and so on, connection for each of your subnets
Just copy the connection scope in your ipsec.conf and adapt the values.
Or do I miss something?
0
 
LVL 19

Author Comment

by:Barthax
ID: 13566399
OK, you may be hitting upon a gap in my knowledge of the ipsec configuration then.  If I'm 192.168.16.10 and I want to connect to 192.168.16.10 at the other site, how would I achieve it through use of the ipsec.conf?
0
 
LVL 19

Author Comment

by:Barthax
ID: 13599233
Points split between you for your efforts and insights.  The situation is now no longer relevant as it's not going to happen!  I may get around to testing this in a lab environ., but until then... thanks! :)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13646837
>  If I'm 192.168.16.10 and I want to connect to 192.168.16.10 at the other site,
dooh, AFAIK this is a deadlock
i.g. you need a rule for your network in ipsec.conf (as you still have), and you need another rule for your own IP, then you simply add that interface too, like:
  ipsec up your-local-rule-name
0
 
LVL 19

Author Comment

by:Barthax
ID: 13650886
> AFAIK this is a deadlock

It's exactly that deadlock I was trying to find a way around with my intial thoughts of a mangle.  If I ever have to implement this & find a way to achieve it, I'll (hopefully) remember to post here. :)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13652089
> It's exactly that deadlock ..
ok, my comment was too simple
AFAIK FreeS/WAN (as IPSec) can connect 2 nets with same and/or overlaping IP range, but you'll have to fix the routing problems on each side yourself.
For example, if 10.10.10.10 on right subnet wants to connect to 10.10.10.10 on left subnet, you need an alias on both sides with different IPs, otherwise routing will not work (it's a loopback). Same applies to all other IPs in the subnet.
I've fixed this problem once using Linux's iptables with SNAT and DNAT (but can't remeber if it was the FreeS/WAN host itself or not).

According "ping"ing from gateway to gateway: you need corresponding rules (oops, policy is the proper term) in ipsec.conf for the gateway itself. These policies on right and left gateway must match each other, and you have to start them after the connection is established on both sides with
  ipsec up policy-name
(or whatever your command to do this is)
This works for me.
0
 
LVL 19

Author Comment

by:Barthax
ID: 13652278
Ah, sorry, I read your original as an explanation as to why it wouldn't work! :)  Thanks for clarifying it.

> I've fixed this problem once using Linux's iptables with SNAT and DNAT

Great news... if I ever need to carry out a complete installation. :)

Many thanks for the continuance.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question