Re: [OT] Source Based Routing
hi, On 7/25/07, Erik Persson <[EMAIL PROTECTED]> wrote: I have not read all you have written, but will not: iptables -I PREROUTING -t nat -s 10.200.10.50 ! -d 192.0.2.8/29 -j SNAT --to-source 192.0.2.11 do the trick? i guess that's one of the reasons why I prefer debian-user over other lists. I do get information :) Yes that seems to work. I can't test it at the moment as I have to do that on our live system but that sound like a simple solution. gotta look into the difference of source nat and source based routing thou I guess there's a reason why both solutions exist. By the way, if the provider uses 192.0.2.9 as the gateway, and you have 192.0.2.10-192.0.2.14, how do you get the traffic for the ips, other than 192.168.2.10, to your gateway? Are you using multiple ip-addresses on the same interface, or do you use proxy arp? Yes just multiple IPs on the external interface on our borderline host martin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [OT] Source Based Routing
Martin Marcher wrote: Hello, Say I want 10.200.10.50 to look like it came from 192.0.2.11 how do I do that? I have not read all you have written, but will not: iptables -I PREROUTING -t nat -s 10.200.10.50 ! -d 192.0.2.8/29 -j SNAT --to-source 192.0.2.11 do the trick? By the way, if the provider uses 192.0.2.9 as the gateway, and you have 192.0.2.10-192.0.2.14, how do you get the traffic for the ips, other than 192.168.2.10, to your gateway? Are you using multiple ip-addresses on the same interface, or do you use proxy arp? thanks martin /Erik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [OT] Source Based Routing
Hi, On 7/25/07, Bob Proulx <[EMAIL PROTECTED]> wrote: Martin Marcher wrote: > i have a setup where i have a borderline box that has 5 public IP > Addresses (this is for the sake of example: 192.0.2.8/29), all is > NATed to 10.200.10.0/24. Now the IP the provider uses as gateway is > 192.0.2.9 which makes me have 192.0.2.10-14 as a usable range. Uhm... Five public IPs is normal for an 8 IP subnet. But I don't understand your statement about NAT'ing them all to 10.200.10.0/24, especially since the ranges do not add up. I am guessing you are sanitizing addresses (okay) and not quite getting things lined up right. You are right, atm the IPs are 192.0.2.9-14 which are public * 192.0.2.9 is used by our provider * 192.0.2.10-14 are free for us to use 192.10.2.10 is the default outgoing route (where this physical box has aliases for the other IPs too on the same interface) The internal interface on this box has the IP 10.200.10.1 and serves the rest of the range via DHCP where 10.200.10.1 is the gateway address (that's what I meant by the network behind is NATed) > The default gateway on my borderline box is 192.10.2.10.10 which makes Hmm... Check that address again. It can't be a 40 bit address. :-) err yes :) It was a bit late yesterday, as said above 192.0.2.10 is the default gateway on the borderline box > all traffic from my network look like it came from this address which > was fine until now. Do you mean that you have NAT configured so that all clients appears to come from your gateway? exactly > Say I want 10.200.10.50 to look like it came from 192.0.2.11 how do I do > that? Let me recommend using Shorewall for this. There are a lot of packages that facilitate driving the Linux netfilter. I like the Shorewall one best. YMMV. http://www.shorewall.net/NAT.htm I believe that page documents the configuration that you are wanting to create. If nothing else it should be an additional reference. sounds like a good options, unfortunately I can only use it as a last resort, since the box is an embedded box and not exactly debian - It's embcop but a standard x86 Processor afaik and my boss is picky about it. I'll look into shorewall heard a lot about it and mostly only good stuff. > I found http://www.wlug.org.nz/SourceBasedRouting which seems to do > what I want the approach also seems easily extensible since I could > easily add more addresses to a certain routing table, or maybe even > add more routing tables so that I could use the full range as outgoing > IP addresses depending on the source IP address. > > Am I on the right track? Seemingly so far you seem to be on track to me. Excepting the noted confusion about addresses. Ah yea, OOC[1]-Segfault martin [1] Out Of Coffe -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: [OT] Source Based Routing
Martin Marcher wrote: > i have a setup where i have a borderline box that has 5 public IP > Addresses (this is for the sake of example: 192.0.2.8/29), all is > NATed to 10.200.10.0/24. Now the IP the provider uses as gateway is > 192.0.2.9 which makes me have 192.0.2.10-14 as a usable range. Uhm... Five public IPs is normal for an 8 IP subnet. But I don't understand your statement about NAT'ing them all to 10.200.10.0/24, especially since the ranges do not add up. I am guessing you are sanitizing addresses (okay) and not quite getting things lined up right. > The default gateway on my borderline box is 192.10.2.10.10 which makes Hmm... Check that address again. It can't be a 40 bit address. :-) > all traffic from my network look like it came from this address which > was fine until now. Do you mean that you have NAT configured so that all clients appears to come from your gateway? > Say I want 10.200.10.50 to look like it came from 192.0.2.11 how do I do > that? Let me recommend using Shorewall for this. There are a lot of packages that facilitate driving the Linux netfilter. I like the Shorewall one best. YMMV. http://www.shorewall.net/NAT.htm I believe that page documents the configuration that you are wanting to create. If nothing else it should be an additional reference. > I found http://www.wlug.org.nz/SourceBasedRouting which seems to do > what I want the approach also seems easily extensible since I could > easily add more addresses to a certain routing table, or maybe even > add more routing tables so that I could use the full range as outgoing > IP addresses depending on the source IP address. > > Am I on the right track? Seemingly so far you seem to be on track to me. Excepting the noted confusion about addresses. > FYI: The purpose is that I want to have an outbound mail server and a > seperate inbound one. And I want to have them use 2 different IP > Addresses - if you know a simpler approach to this (the constraint is > to keep a single borderline box) I'm very much open to suggestions Seems reasonable. Bob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]