Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

IPtables VLANS Masquerading ALL in one.

Posted on 2005-04-21
12
Medium Priority
?
2,772 Views
Last Modified: 2008-02-26
I am looking for a way to use ONE linux box with IPtables, and 2 NIC's to do some interesting routing for me....

On the internal interface (eth1) i want to send an 802.1Q Trunk signal that is carrying ALL my vlans... each of the different vlans will masquerade as a different external address (on eth0)..
ex: vlan 1 with subnet 10.1.1.0 - 10.1.1.255 will masquerade on the outside as x.x.x.11
    vlan 2 with subnet 10.2.2.0 - 10.2.2.255 will masquerade on the outside as x.x.x.12

and so on... For some reason I knew how to do this while I was thinking the idea up, but now I am drawing a blank...
0
Comment
Question by:XereX
  • 5
  • 5
  • 2
12 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13842642
you either can masquerade anything to the IP of eth0, mean that you need to external NIC for your 2 vlans:

iptables -t nat -A POSTROUTING -o eth0 -s 10.1.1.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth2 -s 10.2.2.0/24 -j MASQUERADE

or you need to do SNAT/DNAT for each IP, like:

iptables -t nat -A POSTROUTING -o eth0 -s 10.1.1.11 -j SNAT --to-source  x.x.x.11
iptables -t nat -A PREROUTING  -i eth0 -d x.x.x.11 -j DNAT --to-destination 10.1.1.11
# don't forget proper FORWARD rules then
0
 

Author Comment

by:XereX
ID: 13843020
I am thinking your second solution is probably correct, I just cant check right now, but your first solution makes me wonder if you have understood my question correctly... I want vlan 1 to have the external address of say 100.100.100.1..... vlan 2 external address of 100.100.100.2   and so on.... Like I said, I will check your second answer when I get into work this morning.... Thanks for the rapid response...
0
 

Author Comment

by:XereX
ID: 13843225
actually now that i re-read it, you did understand my question, however I did not explain that there are more than 2 vlans, I need to map about 50 vlans so 50 interface cards wont work... and I cannot map to eth1:1 or anything like that.... hmmm
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 13843678
> ..  so 50 interface cards wont work.
Linux can :-))

> .. and I cannot map to eth1:1 or anything like that....
why?
do you have a 2.6 kernel? otherwise you can make at least up to 127 (not shure about the number)  virtual interfaces

BTW, if each vlan uses its own IP (100.100.100.x) in outside world, and you only have on external NIC (which has exactly one IP), how do you think can these vlans be reached if you assign them an IP which is not at your NIC?
just wondering ...
0
 

Author Comment

by:XereX
ID: 13844370
what I dont think you understand is that IPTables does not accept masquerading as a virtual interface...  I plan on having one physical interface with several virtual interfaces... however i cant do
iptables -t nat -A POSTROUTING -o eth0:1 -s (vlan1 Subnet) -j MASQUERADE

iptables does not like :'s in interface names
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13844790
> iptables does not like :'s in interface names
that's why I asked for kernel 2.6, it works with kernel 2.4

> ..  one physical interface with several virtual interfaces ..
and in previous comment http:#13843225  you said:
>..  and I cannot map to eth1:1 or anything like that ..
so do you have virtual interfaces (50 or so) or not?

iptables -t nat -A POSTROUTING -d ! (vlan1 Subnet)  -s (vlan1 Subnet) -j MASQUERADE
AFAIK this works anyway (sorry can't test myself)
0
 

Author Comment

by:XereX
ID: 13844868
i do have virtual interfaces... I will try that stuff out.... Thanks
0
 
LVL 7

Accepted Solution

by:
XoF earned 1500 total points
ID: 13856456
Hi,

What just about that:

iptables -t nat -A POSTROUTING -i vlan1 -o eth0 -j SNAT --to-source x.x.x.11
iptables -t nat -A POSTROUTING -i vlan2 -o eth0 -j SNAT --to-source x.x.x.12

with eth0 x.x.x.11
and eth0:1 x.x.x.12

HTH,

-XoF-
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13856515
hmm, only works if each vlan has one IP only, otherwise the way back cannot be done (that's the difference of SNAT/DNAT and MASQUERADE), which leads us back to my comment http:#13842642
Or do I miss something?
0
 
LVL 7

Expert Comment

by:XoF
ID: 13856559
From iptables(8):
SNAT: [...] It specifies that the source address of the packet should be modified (and all future packets  in this connection will also be mangled)

>  (that's the difference of SNAT/DNAT and MASQUERADE)
NACK. The only difference between SNAT & MASQUERADE is the behavior of the connection tracking table across interface restarts.

> otherwise the way back cannot be done
Of course, _connections_ from the outside to a special node within a vlan are impossible without according DNAT-Rules. But that's the nature of SNAT/MASQUERADE....
Connections initiated from the inside to the outside should be no prob.

That's the unbelievable magic of connection tracking, which often enough makes me fool myself....:(

Cheers,

-XoF-
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13856652
good explanation to the magics of iptables, I'm learning too ;-)
0
 

Author Comment

by:XereX
ID: 13858913
The other stuff didnt work the way I thought it would, I am gonna try XoF's answer today... thanks for everything.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question