Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.networking > #1890 > unrolled thread

Misconception Regarding Iptables

Back to article view | Back to comp.os.linux.networking

Contents

  Misconception Regarding Iptables Quadibloc <jsavard@ecn.ab.ca> - 2013-01-02 15:23 -0800
    Re: Misconception Regarding Iptables David Hough <noone$$@llondel.org> - 2013-01-03 07:37 +0000
    Re: Misconception Regarding Iptables Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> - 2013-01-05 00:05 +0100

#1890 — Misconception Regarding Iptables

I'm trying to use iptables to do some custom routing of packets from
one network between two other networks.

I found it very odd that in PREROUTING, where one can specify DNAT,
one can't use the -o command. In searching for help with my
difficulty, it was noted that the command "ip" would be used to set up
another layer of Linux networking for purposes of routing.

I'm trying, with commands like

iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.1
iptables -A FORWARD -i eth0 -o eth2 -s 192.168.0.2

to direct communications from two computers on eth0 to two different
destinations; I'm also doing some address translation with PREROUTING
commands as well.

It seems that despite 192.168.x.x and 10.x.x.x addresses belonging to
a private space, there is some assumption that if the same IP address
can be reached, say, through eth1 and eth2, that will lead to the same
thing, and the Linux routing mechanism is designed with that in mind.

Similarly, I can give the command "telnet 192.168.1.1" and even
specify that I won't be using the default port 23, but there is no way
to specify that I want to telnet to the computer with IP address
192.168.1.1 that will be reached via eth1, as opposed to what could be
a completely different computer with the IP address 192.168.1.1 that
happens to be connected to the eth2 card.

So I think that I have a very fundamental misconception as to how
networking in Linux is designed to work; it's apparently not designed
to facilitate the maximum reuse of local IP addresses that is
physically possible through attaching computers with the same address
to different disjoint routers or switches.

John Savard

[toc] | [next] | [standalone]

#1893

Quadibloc wrote:

> I'm trying to use iptables to do some custom routing of packets from
> one network between two other networks.
> 
> I found it very odd that in PREROUTING, where one can specify DNAT,
> one can't use the -o command. In searching for help with my
> difficulty, it was noted that the command "ip" would be used to set up
> another layer of Linux networking for purposes of routing.
> 
> I'm trying, with commands like
> 
> iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.1
> iptables -A FORWARD -i eth0 -o eth2 -s 192.168.0.2
> 
> to direct communications from two computers on eth0 to two different
> destinations; I'm also doing some address translation with PREROUTING
> commands as well.
> 
You need to use the ip rule subcommand and the connmark feature of iptables 
to encourage packets to go different ways by marking based on the source 
address and adding rules to use different routeing tables based on the mark. 
The iptables command is not in itself concerned with routeing of packets, it 
needs extra help to achieve that.

> It seems that despite 192.168.x.x and 10.x.x.x addresses belonging to
> a private space, there is some assumption that if the same IP address
> can be reached, say, through eth1 and eth2, that will lead to the same
> thing, and the Linux routing mechanism is designed with that in mind.
> 
Your expectation is different to mine then. I would expect that for a given 
IP address, if there is more than one route provided, either can be used. 
There may be other reasons to prefer one over another, such as time of day, 
but that's usually achieved by other means. I would expect all systems to do 
this, not just Linux.

> Similarly, I can give the command "telnet 192.168.1.1" and even
> specify that I won't be using the default port 23, but there is no way
> to specify that I want to telnet to the computer with IP address
> 192.168.1.1 that will be reached via eth1, as opposed to what could be
> a completely different computer with the IP address 192.168.1.1 that
> happens to be connected to the eth2 card.
> 
No, if it's the same IP address then it should be the same computer. If 
you're using different port numbers then a bit of network address 
translation can be used to forward the connection on to different computers 
with different IP addresses.

> So I think that I have a very fundamental misconception as to how
> networking in Linux is designed to work; it's apparently not designed
> to facilitate the maximum reuse of local IP addresses that is
> physically possible through attaching computers with the same address
> to different disjoint routers or switches.
> 
> John Savard

[toc] | [prev] | [next] | [standalone]

#1902

Hello,

Quadibloc a écrit :
> I'm trying to use iptables to do some custom routing of packets from
> one network between two other networks.

Big misconception regarding iptables, indeed.
Iptables does not do routing but packet filtering and mangling. It can
only help in routing by marking packets with marks which can then be
used for routing.

> I found it very odd that in PREROUTING, where one can specify DNAT,
> one can't use the -o command.

Why do you find it odd ? The -o option (not command) is used to match
(not route) packets with the specified output interface. But in the
PREROUTING chain, before the routing decision takes place, the output
interface is not known yet.

> In searching for help with my
> difficulty, it was noted that the command "ip" would be used to set up
> another layer of Linux networking for purposes of routing.

The ip command does not "set up another layer of Linux networking for
purposes of routing". It just sets up the IP routing in the Linux kernel.

> I'm trying, with commands like
> 
> iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.1
> iptables -A FORWARD -i eth0 -o eth2 -s 192.168.0.2

These rules have no target, so they do not have any effect.

> to direct communications from two computers on eth0 to two different
> destinations;

I repeat : iptables does not direct anything anywhere. It just does
packet filtering and mangling, i.e. decide whether packets are accepted
or dropped, or change some parts of the packets.

> It seems that despite 192.168.x.x and 10.x.x.x addresses belonging to
> a private space, there is some assumption that if the same IP address
> can be reached, say, through eth1 and eth2, that will lead to the same
> thing, and the Linux routing mechanism is designed with that in mind.

Huh ? What do you mean ?

> Similarly, I can give the command "telnet 192.168.1.1" and even
> specify that I won't be using the default port 23, but there is no way
> to specify that I want to telnet to the computer with IP address
> 192.168.1.1 that will be reached via eth1, as opposed to what could be
> a completely different computer with the IP address 192.168.1.1 that
> happens to be connected to the eth2 card.

Of course not. Haven't you heard about address uniqueness, which is one
of the paradigms of the IP protocol ?

> So I think that I have a very fundamental misconception as to how
> networking in Linux is designed to work; it's apparently not designed
> to facilitate the maximum reuse of local IP addresses that is
> physically possible through attaching computers with the same address
> to different disjoint routers or switches.

I think you have a fundamental misconception about how the IP protocol,
addressing and routing are designed to work in general, not only in the
Linux kernel.

[toc] | [prev] | [standalone]

Back to top | Article view | comp.os.linux.networking

csiph-web