Re: Whacky Iptables Wizardry

To: debian-firewall@lists.debian.org
Subject: Re: Whacky Iptables Wizardry
From: Tarragon Allen <tarragon@onthe.net.au>
Date: Fri, 20 Jun 2003 18:00:53 +1000
Message-id: <[🔎] 200306201800.53460.tarragon@onthe.net.au>
In-reply-to: <[🔎] 20030620043420.GA17784@qk.com.au>
References: <[🔎] 20030620014239.GA10544@qk.com.au> <[🔎] 200306201234.40768.tarragon@onthe.net.au> <[🔎] 20030620043420.GA17784@qk.com.au>

On Friday 20 June 2003 14:34, Lucas J Barbuto wrote:
> On Fri, Jun 20, 2003 at 12:34:40PM +1000, Tarragon Allen wrote:
> > ... now I'm confused.
>
> Yeah, sorry it's hard to know how much information is required.
>
> > Are your 12 IPs "real" IP addresses, or are they behind NAT?
>
> Yeah, they are real IPs.  It's like this:
>
>                                 + ISP's router (the Internet)
>
>
>                                 + 238
>
>
>                              +--+--- 224/28 network
>
>                              x
>
>                              + 237 +--- DSL ---+ the Internet
>
>
>                              + 234
>
> So 237 also has a DSL line plugged into it with an IP of 70.  Say the
> link between the 224/28 network and 237 (marked 'x') goes down (because
> we've pulled the plug to do some maintenance).  Can we tell 238 to
> re-route all traffic destined for 237 to it's DSL IP address (70)?  Like
> packet mangling, can I change the destination IP in the headers, and
> send it back the way it came?  Will this work?

Ok, that makes more sense. Yes, it could be done, again I'd look at the 
transparent proxy iptables rules for some guidelines. Basically you want the 
238 router to SNAT/DNAT the other IP's and forward the request to another IP 
(your DSL external IP, I presume). On your dsl router you'll need to port 
forward requests through to the correct machines. Messy, and probably a 
little slow, but it should work.

Note that, as far as your servers will be concerned, all traffic will be 
originating from the 238 address for the duration of the outage.

The "correct" way to do this would be to announce your routes via BGP over the 
DSL link - this would assume that your DSL ISP would even accept them. It's a 
slightly neater way of doing it though - you might want to discuss with 
one/both of your ISPs.

> > You should add a static ARP entry on the machine at 238
>
> Yeah, that was the first thing I tried, but it didn't seem to work, I
> also thought that it wasn't the most elegant solution.  Even with a
> static entry, things seemed to mysteriously stop working after a short
> time.  As if the static entry were being ignored... this is a strange
> one... I'm probably doing something weird.

What does the arp table look like when it stops working? It might be that arp 
is saying "hey, there are two addresses on the same MAC" and removes one. 
Maybe putting a static entry in for both addresses on that MAC might work?

t
-- 
GPG: http://n12turbo.com/tarragon/public.key

Reply to:

Follow-Ups:
- Re: Whacky Iptables Wizardry
  - From: Lucas J Barbuto <lucas@stabat.com>

References:
- Whacky Iptables Wizardry
  - From: Lucas J Barbuto <lucas@stabat.com>
- Re: Whacky Iptables Wizardry
  - From: Tarragon Allen <tarragon@onthe.net.au>
- Re: Whacky Iptables Wizardry
  - From: Lucas J Barbuto <lucas@stabat.com>

Prev by Date: Re: Whacky Iptables Wizardry
Next by Date: Re: Whacky Iptables Wizardry
Previous by thread: Re: Whacky Iptables Wizardry
Next by thread: Re: Whacky Iptables Wizardry
Index(es):
- Date
- Thread