Routing - Forward all traffic to an ip to another ip

[bsgcic]

I need to be able to do the following:

Physical Router located at 192.168.40.1

On Ubuntu 10.04 Lucid machine:
eth0 with static ip 192.168.40.2
eth1 with static ip 192.168.40.3
eth2 with static ip 192.168.40.4

Associate a virtual address to eth1 with an entirely different network address such as 192.168.50.1
Do the same (virtual address) for eth2 -- e.g. 192.168.60.1

In the application:
register phone number A at 192.168.40.1 (The application will automatically use eth0 for this)
register phone number B at 192.168.50.1
register phone number C at 192.168.60.1

Somehow forward all traffic (including the register request) sent to 192.168.50.1 to 192.168.40.1 as if the register had been made directly to 192.168.40.1. In other words, the app "sends" registration and traffic to 192.168.50.1 but then Ubuntu forwards it to 192.168.40.1 (but the app does not know that).

Similarly, forward all traffic sent to 192.168.60.1 to the router at 192.168.40.1.

Do the same for the reverse, forward all traffic that the router sends back to 192.168.40.3 (eth1) to 192.168.50.1 (within the Ubuntu machine) so that the app knows it is for phone B.
Similarly forward all traffic that the router sends back to 192.168.40.4 (eth2) to 192.168.60.1 so that the app knows it is for phone C.

Thus, the application believes that it is registering at 3 completely separate routers on 3 completely separate networks via 3 separate network interfaces but in fact is really registering all three to the same router (but does not know that).

Similarly, the router believes that it is receiving 3 separate registrations because it receives each registration request and traffic from 3 separate interfaces and thus 3 separate mac addresses (i.e., of eth0, eth1, and eth2).

Traffic sent to and from the router for each of the 3 phone numbers (via eth0, eth1, and eth2) are not mixed because the translation happens in both directions.

I have been searching via google, looking into iptables, brctl, ipfwadm, etc and am lost.
Your help would be greatly appreciated.

Thanks

[Kloschüssel]

hi and welcome,

you cannot simply "forward" requests made to a device to a nother device. the source will likely get confused if he sends something to a device and gets the "RCV" from another, completely unrelated device.

usually one uses nat for these purposes. even tough i don't quite understand why things must be so complicated as it would just work out of the box if you assign each interface the desired IP, send packets to the real server that should receive the packets and just set up routes to make sure the packets will be forwarded correctly if things are not working automatically. well, you'll have your reasons.

so, if I understood your problem, the most (and probably the only) interesting software manuals should be:

* iptables
* ifconfig

greetings

[bsgcic]

Kloschüssel,

Thank you for your post.
I unfortunately do need to do this complicated configuration to make it work.

I have been trying many things to get this configuration to work via iptables and ifconfig but am still at a loss as to how to do it successfully.

The latest that I have tried is as follows:

iptables -t nat -A PREROUTING -p tcp -d 192.168.50.1 --destination-port 5060 -j DNAT --to-destination 192.168.40.1

iptables -t nat -A POSTROUTING -o eth+ -p tcp -d 192.168.40.1 --destination-port 5060 -j SNAT --to-source 192.168.50.1

iptables -N TEST_RULE

iptables -A OUTPUT -p tcp -d 192.168.50.1 --destination-port 5060 -m state --state NEW -j TEST_RULE

iptables -A INPUT -p tcp --source-port :65535 -d 192.168.50.1 --destination-port 5060 -m state --state NEW -j TEST_RULE

iptables -A TEST_RULE -j LOG --log-level info --log-prefix "TEST_RULE -- ACCEPT "

iptables -A TEST_RULE -j ACCEPT

I found the above statements at linuxforums.org -> /forum/linux-networking/26153-forwarding-requests-another-ip-using-iptables.html

The last line in the above link was $IPTABLES -A TEST_RULE -j ACCEPT but $IPTABLES produces an error when executed in the console so I changed it to just iptables.

I set up a virtual address by the following command:

ifconfig eth5:1 192.168.50.1 netmask 255.255.255.255

The above settings did not work even just for the registration via tcp port 5060. Actually, I prefer not to restrict to tcp or by port and have the translation happen for all ports and packets.

If you or someone could help with the sequence of statements that will work, I would be so grateful. I am really stuck on this.

Thanks!!

[Kloschüssel]

Pretty unusual syntax. Likewise a ":65535" is not a valid port or "eth+" is a pretty strange interface. Correct these errors and consider to read the man pages if each switch you're using there exists and really is correctly used like you do. From the logical point of view it should be fine.

[bsgcic]

Thanks!!

I nearly got it working but still no dice with the following couple commands (I am not sure if I need the TEST_RULE and SNAT ones. They did not seem to do anything. Below is an attempt without them.)

iptables -t nat -A OUTPUT -p all -d 192.168.40.3 -j DNAT --to-destination 192.168.40.1

(Note: -A PREROUTING did not work at all but -A OUTPUT got me closer)

iptables -t nat -A POSTROUTING -p all -j MASQUERADE

iptables -t nat -n -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DNAT all -- 0.0.0.0/0 192.168.40.3 to:192.168.40.1

"ping 192.168.40.3 -I eth1" and "ping 192.168.40.3" both work fine.
I can access the router and login to it via http to 192.168.40.3. Therefore port 80 is working.

route -n
Receipt Site Gateway Netmask Flags Metric Ref Use # Interface
192.168.40.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
0.0.0.0 192.168.40.1 0.0.0.0 UG 0 0 0 eth0

ip route show
192.168.40.1 dev eth0 proto static scope link
default via 192.168.40.1 dev eth0 proto static

ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default


ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
etc....
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
inet 192.168.40.2/32 brd 192.168.40.2 scope global eth0
etc....
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
inet 192.168.40.3/32 brd 192.168.40.3 scope global eth1
etc....
5: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
etc....
(eth2 is currently down)


In Asterisk 1.4.33.1, sip.conf
bindport=5060
bindaddr=0.0.0.0
rt200ne=192.168.40.1
rt200ne=192.168.40.3

register => 3:usernameassword@192.168.40.1/123456789
will register but
register => 3:usernameassword@192.168.40.3/123456789
will not register

Any ideas why ping and http to 192.168.40.3 is successfully directed to 192.168.40.1 but the asterisk registration to 192.168.40.3 on port 5060 is not? Any ideas as to things to try to fix this?

Thanks!!

[Kloschüssel]

you posted too much information and missed central points like where you started the ping.

i suppose the OUTPUT should be a INPUT (usually one redirects incoming packets, not outgoing) and you would also tell iptables which output interface should be used. furthermore these rules are really loosely configured and leave big holes open.

[Lazydog]

PREROUTE and POSTROUTE are where you change the packet addresses. The problem I am seeing is you are not binding them to an interface thus they are being applied to all interfaces. Try to only bind them to the interface that the packet is coming in on.

For example the following rule:

Code:

iptables -t nat -A POSTROUTING -p all -j MASQUERADE

Is applied to all traffic leaving all interfaces which should not be required. The only time this is required is when traffic is leaving a private network heading to a public one so that the public network knows how to return to the private network.

This should only be allied to the interface that has a public Address like so:

Code:

iptables -t nat -A POSTROUTING -o <public interface> -j MASQUERADE

[bsgcic]

I tried binding to the interfaces but it stopped working when I did so. Not sure why. Since asterisk is on the same server as the iptables, it appears that INPUT and PREROUTING don't have and effect.
It is strange that I can access, log into, and configure the router via firefox to 192.168.40.3 but asterisk cannot register via rt200ne=192.168.40.3
register => 3:usernameassword@192.168.40.3/phonenumber2

Do you know of any other tools or packages which could help?

Thanks

[Kloschüssel]

you have to re-route the packets if you want to change the ip addresses transparently. if you don't want to do it with iptables, pick another firewall that can do the job and configure it there.

still i don't get it why you want to register at a server, but refuse to address that server directly. this said I have serious doubts in the sense of this complicated setup. it is indeed a maintanance horror for another bro who has to take over your work. in the end I hardly believe that you make things more complicated then they need to be.

[bsgcic]

I would be happy with any tool that gets this done opensource or reasonably priced commercial. I just really need to find some kind of workaround for this.

Prior to the isp performing a mandatory firmware upgrade on all their internet access routers adding the phone/device/nic/mac address per phone number registration restriction on their router, I was able to just do each registration to the same destination 192.168.40.1 across 1 nic. It is unclear why they did that because it doesn't do anything for them but disrupts the use of one device for more than one phone number. Pretty crazy and frustrating. I can't do anything about that other than try to somehow work around this limitation. I really don't want to run and administer 3 separate servers just to get the 3 phone numbers to register. And the maintenance of that would be far worse.

Do you think iptables is the best route given that I have not gotten it working yet? Another tool or set of tools/apps that might work or other method?

I am still really baffled as to why 192.168.40.3 goes to 192.168.40.1 just fine when I use the 192.168.40.3 address in firefox but it chokes when I try to do so in the asterisk registration.

Thanks!!