I have a CentOS box that acts as a packet filter/firewall with iptables but the box itself isn't able to reach internet : here why :
Internet ----- public IP|ISP router|private IP ----- private IP + public IP/32 + public IP subnet/29|my CentOS fw|private network/dmz
As you can see my provider gave us a /29 public ip subnet but behind a private IP subnet (192.168.X.X/24 - used for the routing between the ISP router and the fw) I've configured my iptables/routing correctly and machines from the DMZ have no problems reaching the external world (use of SNAT in the nat table of course). The problem is that the firewall itself can't access the public network because of his private ip 192.168.X.X used for the routing between ISP router and itself. I also received a /32 public ip for the fw itself and i've added to the ethx:1 alias . Problem is that kernel always decide that (because of default gw being on the private ip 192.168.X.X) he has to use the 192.168.X.X ip address as outbond interface. So every packet leaving (so i'm talking about OUTPUT table and not about FORWARD nor nat table) the fw comes from a 192.168.X.X ip and so never comes back (which is normal). Question is : how can i "mangle" output packets to appear coming from public ip and not from 192.168.X.X ? For example , at the application layer, i can produce icmp packets with `ping -I my.public.ip/32 remote.host.on.internet` that come back but of course nothing with a traditionnal `ping remote.host.on.internet` I've had a look at arptables and tested ` arptables -A OUT -s 192.168.X.X ! -d 192.168.X.0/24 -o eth3 -j mangle --mangle-ip-s my.public.ip` but that doesn't seem to do the trick ..
Any ideas ? I just hope that it was clear enough :-p
-- Fabian Arrotin idea=`grep -i clue /dev/brain` ; test -z "$idea" && echo "sorry, init 6 in progress" || sh ./answer.sh
Hi Fabian:
On Tue, Jan 27, 2009 at 08:16, Fabian Arrotin fabian.arrotin@arrfab.net wrote:
Question is : how can i "mangle" output packets to appear coming from public ip and not from 192.168.X.X ?
Found this that might help you (google for: linux default outgoing ip):
"""
On a machine with multiple interfaces, is it possible to set the default outgoing IP address to something other than the address for the interface on the outgoing route?
Yes.
ip route add 10.1.1.0/24 via 192.168.1.1 src 172.16.1.1 ^^^ The src parameter tells the routing code to use this address when sending packets. The address only needs to be on the system. IE:
ip addr add 172.16.1.1/32 dev dummy0
And send the packets out of eth0. """ From: http://lkml.indiana.edu/hypermail/linux/kernel/0112.1/0359.html
Just make sure you keep a separate route for your ISP's side of the private network (maybe the one created when your interface goes up will do), otherwise your routing protocol might fail.
HTH, Filipe
Filipe Brandenburger wrote:
Hi Fabian:
On Tue, Jan 27, 2009 at 08:16, Fabian Arrotin fabian.arrotin@arrfab.net wrote:
Question is : how can i "mangle" output packets to appear coming from public ip and not from 192.168.X.X ?
Found this that might help you (google for: linux default outgoing ip):
"""
On a machine with multiple interfaces, is it possible to set the default outgoing IP address to something other than the address for the interface on the outgoing route?
Yes.
ip route add 10.1.1.0/24 via 192.168.1.1 src 172.16.1.1 ^^^ The src parameter tells the routing code to use this address when sending packets. The address only needs to be on the system. IE:
ip addr add 172.16.1.1/32 dev dummy0
And send the packets out of eth0. """ From: http://lkml.indiana.edu/hypermail/linux/kernel/0112.1/0359.html
Just make sure you keep a separate route for your ISP's side of the private network (maybe the one created when your interface goes up will do), otherwise your routing protocol might fail.
HTH, Filipe
Hi Filipe,
thanks for the link, i completely missed that point from the 'ip route' command. On the other hand, 10 minutes after i had sent my mail (and 3 coffee later to be precise) i saw also a picture from wikipedia (http://upload.wikimedia.org/wikipedia/fr/thumb/3/3e/Netfilter_schema.png/400...) explaining how packets went through the different ip tables and it was directly clear : even packets leaving the local box (and being processed in the OUTPUT filter) are still processed in the nat table (postrouting filter) so a simple SNAT rule did the job perfectly too ;-) In fact it's the first time that i have to modify packets leaving a linux gateway and i thought that only packets being forwarded (and so traversing the FORWARD filter) could also being modified in the nat table ... I've also had a look in the sysconfig.txt file to see how your solution could be applied but it's still not very clear how that can be done. But using GATEWAYDEV=eth3 (eth3 having my public-ip/32 while eth3:1 having my 192.168.X.X/24 ip) in the /etc/sysconfig/network and declaring a GATEWAY=192.168.X.X (isp router ip) in the ifcfg-eth3:1 does also the job. But a `route -n` is strange though : " 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 eth3" like for the old ppp stuff
So multiple ways to solve the initial question ... -- Fabian Arrotin idea=`grep -i clue /dev/brain` ; test -z "$idea" && echo "sorry, init 6 in progress" || sh ./answer.sh
Fabian Arrotin wrote:
Filipe Brandenburger wrote:
Hi Fabian:
On Tue, Jan 27, 2009 at 08:16, Fabian Arrotin fabian.arrotin@arrfab.net wrote:
Question is : how can i "mangle" output packets to appear coming from public ip and not from 192.168.X.X ?
Found this that might help you (google for: linux default outgoing ip):
"""
On a machine with multiple interfaces, is it possible to set the default outgoing IP address to something other than the address for the interface on the outgoing route?
Yes.
ip route add 10.1.1.0/24 via 192.168.1.1 src 172.16.1.1 ^^^ The src parameter tells the routing code to use this address when sending packets. The address only needs to be on the system. IE:
ip addr add 172.16.1.1/32 dev dummy0
And send the packets out of eth0. """ From: http://lkml.indiana.edu/hypermail/linux/kernel/0112.1/0359.html
Just make sure you keep a separate route for your ISP's side of the private network (maybe the one created when your interface goes up will do), otherwise your routing protocol might fail.
HTH, Filipe
Hi Filipe,
thanks for the link, i completely missed that point from the 'ip route' command. On the other hand, 10 minutes after i had sent my mail (and 3 coffee later to be precise) i saw also a picture from wikipedia (http://upload.wikimedia.org/wikipedia/fr/thumb/3/3e/Netfilter_schema.png/400...) explaining how packets went through the different ip tables and it was directly clear : even packets leaving the local box (and being processed in the OUTPUT filter) are still processed in the nat table (postrouting filter) so a simple SNAT rule did the job perfectly too ;-) In fact it's the first time that i have to modify packets leaving a linux gateway and i thought that only packets being forwarded (and so traversing the FORWARD filter) could also being modified in the nat table ... I've also had a look in the sysconfig.txt file to see how your solution could be applied but it's still not very clear how that can be done. But using GATEWAYDEV=eth3 (eth3 having my public-ip/32 while eth3:1 having my 192.168.X.X/24 ip) in the /etc/sysconfig/network and declaring a GATEWAY=192.168.X.X (isp router ip) in the ifcfg-eth3:1 does also the job. But a `route -n` is strange though : " 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 eth3" like for the old ppp stuff
So multiple ways to solve the initial question ...
one coffee cup later i see in sysconfig.txt documentation file for the paramaters of ifcfg-<interface-name> : "SRCADDR= use the specified source address for outgoing packets" .. so definitely resolved by sysconfig files (so a clean solution)
Hi,
On Tue, Jan 27, 2009 at 14:14, Fabian Arrotin fabian.arrotin@arrfab.net wrote:
On the other hand, 10 minutes after i had sent my mail (and 3 coffee later to be precise) i saw also a picture from wikipedia (http://upload.wikimedia.org/wikipedia/fr/thumb/3/3e/Netfilter_schema.png/400...)
Interesting diagram! I tried to look for the Wikipedia page that links to it, but no luck. Where did you find it? Is there an article with that?
explaining how packets went through the different ip tables and it was directly clear : even packets leaving the local box (and being processed in the OUTPUT filter) are still processed in the nat table (postrouting filter) so a simple SNAT rule did the job perfectly too ;-)
That was my first thought, configuring a NAT for it. I actually thought that you would be able to solve it by adding a SNAT entry in the OUTPUT chain of the nat table, but when I checked the man page I saw that SNAT can only be used in POSTROUTING. As I assumed you already had a POSTROUTING SNAT rule catching all and you still had the problem with the firewall itself, I did not mention it, but now I see that it makes sense as you need a separate rule for that as the interface is different.
I've also had a look in the sysconfig.txt file to see how your solution could be applied but it's still not very clear how that can be done. But using GATEWAYDEV=eth3 (eth3 having my public-ip/32 while eth3:1 having my 192.168.X.X/24 ip) in the /etc/sysconfig/network and declaring a GATEWAY=192.168.X.X (isp router ip) in the ifcfg-eth3:1 does also the job. But a `route -n` is strange though : " 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 eth3" like for the old ppp stuff
one coffee cup later i see in sysconfig.txt documentation file for the paramaters of ifcfg-<interface-name> : "SRCADDR= use the specified source address for outgoing packets" .. so definitely resolved by sysconfig files (so a clean solution)
Cool! That's real easy! Glad to know that.
So multiple ways to solve the initial question ...
Great! I learned something today! :-)
Filipe
Filipe Brandenburger wrote:
Hi,
On Tue, Jan 27, 2009 at 14:14, Fabian Arrotin fabian.arrotin@arrfab.net wrote:
On the other hand, 10 minutes after i had sent my mail (and 3 coffee later to be precise) i saw also a picture from wikipedia (http://upload.wikimedia.org/wikipedia/fr/thumb/3/3e/Netfilter_schema.png/400...)
Interesting diagram! I tried to look for the Wikipedia page that links to it, but no luck. Where did you find it? Is there an article with that?
In fact that's a diagram i found through google that pointed me to the french version of wikipedia for netfilter : http://fr.wikipedia.org/wiki/Netfilter .. strange that the english version doesn't have it because such picture talks more than a paragraph ...
-
Fabian Arrotin -
Filipe Brandenburger