iptables with vlans and duplicate IPs

[ScottForsyth]

Hi,

I'm a Linux newbie, but a long term Windows admin, so please go easy on me as I come over to this side.

I'm setting up a test lab situation where multiple computers will have the same IP addresses, so they need vlan separation. For example, a group of virtual machines will have IPs 192.168.1.200, 192.168.1.201, etc. And another group of virtual machines will also have the same IPs.

I want to provide NAT mappings to each of the virtual machines so that each of them can be publicly accessible.

So basically I want the iptables NAT mapping to point to a specific interface and allow multiple duplicate IPs to co-exist.

Is this possible with a single Ubuntu device? I'm using virtual networking fabric so I don't have a physical network device in-between all of these.

Here's a diagram to represent it:

iptables_routing.jpg

(being new to these forums I can't show an image from another site with a larger version, so here's a larger image that you'll need to manually navigate to: weblogs.asp.net/blogs/owscott/iptables_routing.PNG)

My NAT rules may be something like this:

Code:

iptables -t nat -I PREROUTING -d 72.73.74.75 -j DNAT --to-destination 192.168.1.200 -o eth1.5
iptables -t nat -I POSTROUTING -s 192.168.1.200 -j SNAT --to-source 72.73.74.75 -i eth1.5

It's the -i and -o that seem to only work with the public NIC so that's the part that I couldn't quite get working.

Any suggestions on which way to go to achieve this?

[Kloschüssel]

Code:

Code:

iptables -t nat -I PREROUTING -d 72.73.74.75 -j DNAT --to-destination 192.168.1.200 -o eth1.5
iptables -t nat -I POSTROUTING -s 192.168.1.200 -j SNAT --to-source 72.73.74.75 -i eth1.5

[EDIT]Sorry, I just took now a look at your picture and now I understand why you've got postrouting rules. See here. You're interested in SNAT (source nat)[/EDIT]

[ScottForsyth]

Thanks for the reply.

That's what I'm doing, I believe. I need both SNAT and DNAT, one for each direction.

The issue I run into is that when I try the -i eth1.5 on the SNAT it says "Can't use -i with POSTROUTING".

What am I missing in my perspective that I can't specify the interface both directions? Or, is there anything else that I'm overlooking to be able to accomplish this?

[Lazydog]

POSTROUTING is done after the packet has been routed through your system. Thus the packet is no longer inbound (-i) but outbound (-o).

[ScottForsyth]

Thanks Lazydog. Fair enough. How do I set this up then?

I realize that just the PREROUTING / DNAT policy is all that is needed for my testing. The default masquerade rule I already have setup is sufficient for the traffic from the internal VM to the internet.

So how do I tell my PREROUTING / DNAT policy to use 192.168.1.200 from interface eth1.5?

Ah, maybe I'm on to something. Would I use a i- OUTPUT policy? Maybe this will work, although I have some setup to do to test it fully:

Code:

iptables -t nat -I PREROUTING -d 73.74.75.76 -j DNAT --to-destination 192.168.1.200 -i eth0
iptables -t nat -I OUTPUT -d 73.74.75.76 -j DNAT --to-destination 192.168.1.200 -o eth1.5

Actually, I see that OUTPUT is from packets originating from the Ubuntu server itself, so that's not it. Is it something along these lines?

[Lazydog]

I am trying to figure out what it is that you are wanting to do. Sounds like you have, for example, 4 VM's that you want users from the internet to connect to. Lets say all the VM's are running web sites and all are using port 80. You only have 1 public IP address. You are not going to be able to route port 80 to all 4 VM's because the firewall doesn't know which VM you want the port 80 traffic to goto.

[ScottForsyth]

Hi Robert. Thanks for your reply again.

Actually I'm doing something the other way around, kind of.

I have as many public IPs as I need, so that's not the problem. For this example, let's just say that I have two servers. Server01 and Server02. The problem is that I *must* give them the same IP address because they are used for a training lab with specific instructions on how to use them.

So,

• Server1 -> VLAN5 -> 192.168.1.200
• Server2 -> VLAN6 -> 192.168.1.200
• Ubuntu01 w/ iptables. More below.

The IPs assigned to Ubuntu01 are:

• Public Management 72.73.74.74 (eth0)
• Public for NAT 72.73.74.75 (eth0)
• Public for NAT 72.73.74.76 (eth0)
• Private for NAT 192.168.1.1 (eth1.5)
• Private for NAT 192.168.1.1 (eth1.6)

Notice the duplicate IPs, but in different VLANs.

I want to route 72.73.74.75 to 192.168.1.200 on VLAN5 and 72.73.74.76 to 192.168.1.200 on VLAN6. I want both DNAT and SNAT, but I'm only worried about DNAT for now. SNAT should be straight forward.

So I believe that I need PREROUTING DNAT + maybe a POSTROUTING rule to bind the incoming DNAT request to the particular eth1.5 / eth1/6 interface.

Thanks!

[Lazydog]

I am unsure why you need 2 servers with the same ip address but I can tell you it isn't going to work. You will get an ip error when you have more then one system with the same ip address on the network.

You might want to re-think your training lab.