Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.networking > #1893

Re: Misconception Regarding Iptables

From David Hough <noone$$@llondel.org>
Organization the bus stop
Date 2013-01-03 07:37 +0000
Subject Re: Misconception Regarding Iptables
Newsgroups comp.os.linux.networking
References <09056cb1-54ce-4bb0-b06f-48520a5d7cfe@px4g2000pbc.googlegroups.com>
Message-ID <13pfr9-eva.ln1@llondel.org> (permalink)

Show all headers | View raw

Quadibloc wrote:

> I'm trying to use iptables to do some custom routing of packets from
> one network between two other networks.
> 
> I found it very odd that in PREROUTING, where one can specify DNAT,
> one can't use the -o command. In searching for help with my
> difficulty, it was noted that the command "ip" would be used to set up
> another layer of Linux networking for purposes of routing.
> 
> I'm trying, with commands like
> 
> iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.1
> iptables -A FORWARD -i eth0 -o eth2 -s 192.168.0.2
> 
> to direct communications from two computers on eth0 to two different
> destinations; I'm also doing some address translation with PREROUTING
> commands as well.
> 
You need to use the ip rule subcommand and the connmark feature of iptables 
to encourage packets to go different ways by marking based on the source 
address and adding rules to use different routeing tables based on the mark. 
The iptables command is not in itself concerned with routeing of packets, it 
needs extra help to achieve that.

> It seems that despite 192.168.x.x and 10.x.x.x addresses belonging to
> a private space, there is some assumption that if the same IP address
> can be reached, say, through eth1 and eth2, that will lead to the same
> thing, and the Linux routing mechanism is designed with that in mind.
> 
Your expectation is different to mine then. I would expect that for a given 
IP address, if there is more than one route provided, either can be used. 
There may be other reasons to prefer one over another, such as time of day, 
but that's usually achieved by other means. I would expect all systems to do 
this, not just Linux.

> Similarly, I can give the command "telnet 192.168.1.1" and even
> specify that I won't be using the default port 23, but there is no way
> to specify that I want to telnet to the computer with IP address
> 192.168.1.1 that will be reached via eth1, as opposed to what could be
> a completely different computer with the IP address 192.168.1.1 that
> happens to be connected to the eth2 card.
> 
No, if it's the same IP address then it should be the same computer. If 
you're using different port numbers then a bit of network address 
translation can be used to forward the connection on to different computers 
with different IP addresses.

> So I think that I have a very fundamental misconception as to how
> networking in Linux is designed to work; it's apparently not designed
> to facilitate the maximum reuse of local IP addresses that is
> physically possible through attaching computers with the same address
> to different disjoint routers or switches.
> 
> John Savard

Back to comp.os.linux.networking | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Misconception Regarding Iptables Quadibloc <jsavard@ecn.ab.ca> - 2013-01-02 15:23 -0800
  Re: Misconception Regarding Iptables David Hough <noone$$@llondel.org> - 2013-01-03 07:37 +0000
  Re: Misconception Regarding Iptables Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> - 2013-01-05 00:05 +0100

csiph-web