Find the answer to your Linux question:
Results 1 to 8 of 8
Hi, I'm a Linux newbie, but a long term Windows admin, so please go easy on me as I come over to this side. I'm setting up a test lab ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2011
    Posts
    4

    iptables with vlans and duplicate IPs


    Hi,

    I'm a Linux newbie, but a long term Windows admin, so please go easy on me as I come over to this side.

    I'm setting up a test lab situation where multiple computers will have the same IP addresses, so they need vlan separation. For example, a group of virtual machines will have IPs 192.168.1.200, 192.168.1.201, etc. And another group of virtual machines will also have the same IPs.

    I want to provide NAT mappings to each of the virtual machines so that each of them can be publicly accessible.

    So basically I want the iptables NAT mapping to point to a specific interface and allow multiple duplicate IPs to co-exist.

    Is this possible with a single Ubuntu device? I'm using virtual networking fabric so I don't have a physical network device in-between all of these.

    Here's a diagram to represent it:

    iptables_routing.jpg

    (being new to these forums I can't show an image from another site with a larger version, so here's a larger image that you'll need to manually navigate to: weblogs.asp.net/blogs/owscott/iptables_routing.PNG)

    My NAT rules may be something like this:

    Code:
    iptables -t nat -I PREROUTING -d 72.73.74.75 -j DNAT --to-destination 192.168.1.200 -o eth1.5
    iptables -t nat -I POSTROUTING -s 192.168.1.200 -j SNAT --to-source 72.73.74.75 -i eth1.5
    It's the -i and -o that seem to only work with the public NIC so that's the part that I couldn't quite get working.

    Any suggestions on which way to go to achieve this?

  2. #2
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    Code:
    Code:
    iptables -t nat -I PREROUTING -d 72.73.74.75 -j DNAT --to-destination 192.168.1.200 -o eth1.5
    iptables -t nat -I POSTROUTING -s 192.168.1.200 -j SNAT --to-source 72.73.74.75 -i eth1.5
    [EDIT]Sorry, I just took now a look at your picture and now I understand why you've got postrouting rules. See here. You're interested in SNAT (source nat)[/EDIT]
    Last edited by Kloschüssel; 07-14-2011 at 06:21 AM.

  3. #3
    Just Joined!
    Join Date
    Jul 2011
    Posts
    4
    Thanks for the reply.

    That's what I'm doing, I believe. I need both SNAT and DNAT, one for each direction.

    The issue I run into is that when I try the -i eth1.5 on the SNAT it says "Can't use -i with POSTROUTING".

    What am I missing in my perspective that I can't specify the interface both directions? Or, is there anything else that I'm overlooking to be able to accomplish this?

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    POSTROUTING is done after the packet has been routed through your system. Thus the packet is no longer inbound (-i) but outbound (-o).

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Jul 2011
    Posts
    4
    Thanks Lazydog. Fair enough. How do I set this up then?

    I realize that just the PREROUTING / DNAT policy is all that is needed for my testing. The default masquerade rule I already have setup is sufficient for the traffic from the internal VM to the internet.

    So how do I tell my PREROUTING / DNAT policy to use 192.168.1.200 from interface eth1.5?

    Ah, maybe I'm on to something. Would I use a i- OUTPUT policy? Maybe this will work, although I have some setup to do to test it fully:

    Code:
    iptables -t nat -I PREROUTING -d 73.74.75.76 -j DNAT --to-destination 192.168.1.200 -i eth0
    iptables -t nat -I OUTPUT -d 73.74.75.76 -j DNAT --to-destination 192.168.1.200 -o eth1.5
    Actually, I see that OUTPUT is from packets originating from the Ubuntu server itself, so that's not it. Is it something along these lines?

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    I am trying to figure out what it is that you are wanting to do. Sounds like you have, for example, 4 VM's that you want users from the internet to connect to. Lets say all the VM's are running web sites and all are using port 80. You only have 1 public IP address. You are not going to be able to route port 80 to all 4 VM's because the firewall doesn't know which VM you want the port 80 traffic to goto.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  7. #7
    Just Joined!
    Join Date
    Jul 2011
    Posts
    4
    Hi Robert. Thanks for your reply again.

    Actually I'm doing something the other way around, kind of.

    I have as many public IPs as I need, so that's not the problem. For this example, let's just say that I have two servers. Server01 and Server02. The problem is that I *must* give them the same IP address because they are used for a training lab with specific instructions on how to use them.

    So,
    • Server1 -> VLAN5 -> 192.168.1.200
    • Server2 -> VLAN6 -> 192.168.1.200
    • Ubuntu01 w/ iptables. More below.


    The IPs assigned to Ubuntu01 are:
    • Public Management 72.73.74.74 (eth0)
    • Public for NAT 72.73.74.75 (eth0)
    • Public for NAT 72.73.74.76 (eth0)
    • Private for NAT 192.168.1.1 (eth1.5)
    • Private for NAT 192.168.1.1 (eth1.6)


    Notice the duplicate IPs, but in different VLANs.

    I want to route 72.73.74.75 to 192.168.1.200 on VLAN5 and 72.73.74.76 to 192.168.1.200 on VLAN6. I want both DNAT and SNAT, but I'm only worried about DNAT for now. SNAT should be straight forward.

    So I believe that I need PREROUTING DNAT + maybe a POSTROUTING rule to bind the incoming DNAT request to the particular eth1.5 / eth1/6 interface.

    Thanks!

  8. #8
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    I am unsure why you need 2 servers with the same ip address but I can tell you it isn't going to work. You will get an ip error when you have more then one system with the same ip address on the network.

    You might want to re-think your training lab.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •