Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Route ip to local network
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
creack
n00b
n00b


Joined: 19 May 2010
Posts: 14

PostPosted: Thu May 20, 2010 1:48 pm    Post subject: Route ip to local network Reply with quote

Hi,

Here is my situation:

1 server with 2 ips with vpn

I would like to route 1 of my ips to my computer over the vpn, how can I do? I tried with route without success and I tried with iptables but it is too huge and I am not sure of what I did.

Do you know how to do what I want or where I can find documentation about it?

Thank.
Back to top
View user's profile Send private message
erik258
Advocate
Advocate


Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA

PostPosted: Thu May 20, 2010 4:31 pm    Post subject: Reply with quote

Hi,

I'm not sure what you're trying to accomplish. If I understand you correctly your network looks something like this:
http://spore.ath.cx/~dan/diagram.png

You'll note that in the diagram, server has 2 connections to the internet, remote has a connection to the server through a vpn, and there's an arrow inside the server pointing from IP2 through to the vpn.

It seems that your intention is to redirect traffict coming in to IP2 through to the VPN address on remote. This is not too difficult to do, but you'll need to use IPtables. Something like this should suffice:
Code:

IP2=<IP_ADDR_TO_FORWARD>
RIP=<REMOTE_IP_TO_FORWARD_TO>

iptables -t nat -I PREROUTING -d $IP2 -j DNAT --to-destination $RIP

_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit!
Back to top
View user's profile Send private message
creack
n00b
n00b


Joined: 19 May 2010
Posts: 14

PostPosted: Fri May 21, 2010 5:12 am    Post subject: Reply with quote

it is exactly what I want to do, I flushed my tables (iptables -F ; iptables -t nat -F) and I try your command but it still does not reach my RIP with I ping IP2 :(

EDIT: actualy, it kind of work, it is very strange:

ON my server:

$>tcpdump -i eth0 proto ICMP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
07:15:12.018816 IP sla-rbx2-xx.ovh.net > $IP2: ICMP echo request, id 39220, seq 6148, length 64
07:15:12.274662 IP $IP2 > sla-rbx2-xx.ovh.net: ICMP echo reply, id 39220, seq 6148, length 64

On my computer (over VPN)
$>sudo tcpdump -i tun1 proto ICMP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun1, link-type RAW (Raw IP), capture size 96 bytes
09:16:36.756573 IP sla-rbx2-xx.ovh.net > 172.16.0.6: ICMP echo request, id 39220, seq 6148, length 64
09:16:36.756601 IP 172.16.0.6 > sla-rbx2-xx.ovh.net: ICMP echo reply, id 39220, seq 6148, length 64


But when I try do ping $IP2 myself, it does not forward to my computer... I don't understand (I think sla-rbx2-xx.ovh.net must be the monitoring from my ISP)
Back to top
View user's profile Send private message
erik258
Advocate
Advocate


Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA

PostPosted: Sat May 22, 2010 6:20 am    Post subject: Reply with quote

It seems as though it's working for the ICMP requests, right? It seems as though tcpdump is showing the DNAT happening with ICMP packets going in $IP2 and coming out 172.16.0.6 ( assume the vpn IP) and back, right? If you tcpdumped on the tun/tap device on the server, you'd probably see those same packets entering the vpn on the server side too.

So, what's not working? What is 'my computer' and where does it fit into the network?

ps: are your clocks off? (maybe just in different timezones)
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit!
Back to top
View user's profile Send private message
creack
n00b
n00b


Joined: 19 May 2010
Posts: 14

PostPosted: Tue May 25, 2010 4:17 am    Post subject: Reply with quote

actually, I had bad routes, it works perfectly fine, thank you very much
Back to top
View user's profile Send private message
creack
n00b
n00b


Joined: 19 May 2010
Posts: 14

PostPosted: Tue May 25, 2010 3:20 pm    Post subject: Reply with quote

Actually I have an other question : now that my computer over the VPN has its own IP, how can I make the world see that ip instead of the VPN server?
Back to top
View user's profile Send private message
erik258
Advocate
Advocate


Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA

PostPosted: Wed May 26, 2010 3:22 am    Post subject: Reply with quote

Hello again,

Quote:
it works perfectly fine


Glad to hear it.

Quote:
now that my computer over the VPN has its own IP, how can I make the world see that ip instead of the VPN server?


Does the computer over the VPN have a public IP? I don't know any way of sending traffic for one IP to a different IP without modifying routing tables. Unfortunately, something like that can't be done on the Internet. Routing on the internet is based on a number of advanced routing protocols and you'd need the cooperation of the administrators of the ISPs that 'own' both public IP addresses and connect them to the internet for that to work. Sorry.

If your VPN remote endpoint has a private IP the situation is just as bleak. Public computers can't talk to private IP addresses over the internet, they'd have to be connected to the VPN to be able to reach it.

The ability to move services between IP addresses is one of the reasons DNS names are used so frequently online. If the world connects to a DNS hostname rather than the IP, updating the A record in DNS will be sufficient to move traffic over to that IP, but the change will take time to propagate through the world's public dns servers.

i hope that answers your question.
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit!
Back to top
View user's profile Send private message
creack
n00b
n00b


Joined: 19 May 2010
Posts: 14

PostPosted: Wed May 26, 2010 9:53 am    Post subject: Reply with quote

I am not sure of what you mean but yes, I have 2 public IP

http://ip2/ from anywhere in the world go to my computer

on my server, I have 2 NIC, eth0 with IP1 and eth1 with IP2 (both public) and I would like that anything from the vpn(tun0) leave trough eth1 and not eth0

Is that possible?
Back to top
View user's profile Send private message
erik258
Advocate
Advocate


Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA

PostPosted: Wed May 26, 2010 10:36 am    Post subject: Reply with quote

Ah, I understand now. I thought you wanted to make traffic destined for IP1/2 be delivered straight to 'IP3', another public address on the other side of the vpn. Obviously a difficult task, if not imposible, without forwarding them there after the fact as you are doing.

I know you can use policy routing to decide how to route packets based on the source of the address. There are a number of other policies you can also apply to routing using the ip2 framework. So, if IP1 and IP2 were on a LAN, my answer would be that I'm pretty sure you can do it. But I'm concerned that you might have problems sending packets back over a different path than the one they came in on. Although, maybe I'm imagining a problem that doesn't actually exist.

I guess I don't know the answer. If you find out elsewhere, I'd certainly appreciate it if you let me/us know what you find. All I can say is this: http://lartc.org/howto/ should tell you how to do it, if it's doable.
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit!
Back to top
View user's profile Send private message
creack
n00b
n00b


Joined: 19 May 2010
Posts: 14

PostPosted: Fri Jun 25, 2010 2:06 pm    Post subject: Reply with quote

I finaly succeded!!!

here is my solutions:

Code:

#!/bin/sh

WDEV=eth0   #dev with internet connection (facultative)
W_IP1=  #Public IP1 that we want to route
W_IP2=  #Public IP2 that we want to route
L_IP1=   #LAN (or vpn) IP of the first computer
L_IP2=   #LAN (or vpn) IP of the second computer

#first clean the tables
iptables -F
iptables -t nat -F
iptables -t mangle -F

#then route the ip to the correct computer (until then I was OK)
iptables -t nat -I PREROUTING -d $W_IP1 -j DNAT --to-destination $L_IP1
iptables -t nat -I PREROUTING -d $W_IP2 -j DNAT --to-destination $L_IP2

#finaly, NAT the outgoing packets with the correct ip
iptables -t nat -A POSTROUTING  -s $L_IP1 -j NETMAP --to $W_IP1
iptables -t nat -A POSTROUTING  -s $L_IP2 -j NETMAP --to $W_IP2

#then, if we have more computer than public IPs, we let all the other clients access to internet dynamicly
iptables -t nat -A POSTROUTING -o $W_DEV -j MASQUERADE


So with this, I have my server with public IP, and 2 computers behind VPN that look like public
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum