Crazy iptables question...

My Linux box has 3 interfaces.

eth0 - connection to the internet.
eth1 - connection to a single machine (sysA), secluded network (netA).
eth2 - connection to a single machine (sysB), secluded network (netB).

Here's my task:
I need to create a setup where sysA and sysB can have the same network
configuration, (ie. IP Address and Gateway) and be NATted to an
internet address.

This would require:
eth0 to be set to 10.11.11.7
eth1 and eth2 to be set to 192.168.0.1
sysA and sysB to be set to 192.168.0.2
sysA NATted to 10.11.11.4
sysB NATted to 10.11.11.5

I'm also open to other possible suggestions....only requirement: sysA
and sysB must have the same IP Address and gateway address. Also
prefer to stay away from MAC Address dependant schemes.

Thanks in advance.
Thad T

Thad Trusler wrote:
> My Linux box has 3 interfaces.
>
> eth0 - connection to the internet.
> eth1 - connection to a single machine (sysA), secluded network (netA).
> eth2 - connection to a single machine (sysB), secluded network (netB).
>
> Here's my task:
> I need to create a setup where sysA and sysB can have the same network
> configuration, (ie. IP Address and Gateway) and be NATted to an
> internet address.
>
> This would require:
> eth0 to be set to 10.11.11.7
> eth1 and eth2 to be set to 192.168.0.1
> sysA and sysB to be set to 192.168.0.2
> sysA NATted to 10.11.11.4
> sysB NATted to 10.11.11.5
>
> I'm also open to other possible suggestions....only requirement: sysA
> and sysB must have the same IP Address and gateway address. Also
> prefer to stay away from MAC Address dependant schemes.

First of all, what the hell do You want this for...?

Anyways, here we go:

You will have to decide on the interface name how to route and NAT
Your packets. So You will use iptables rules like this:

Packets arriving on eth1 will be SNATted to 10.11.11.4 an then be
forwarded out via eth0 (I assume that this is what You want).
- Same goes for traffic from sysB. This direction, from sys{A,B} to
the outside, was the simpler one.

For the other way, things are a bit more complicated to achieve.
You will have to decide on the destination address which NIC to use
to deliver the packets (10.11.11.4 and .5, that is). Then, You will
DNAT these packets accordingly. Have a look at www.lartc.org and others
for how to do that.


This does not sound like a good idea. Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

jack <(E-Mail Removed)> wrote in message news:<c65o0d$k6k$03$(E-Mail Removed)>...
> Thad Trusler wrote:
> > My Linux box has 3 interfaces.
> >
> > eth0 - connection to the internet.
> > eth1 - connection to a single machine (sysA), secluded network (netA).
> > eth2 - connection to a single machine (sysB), secluded network (netB).
> >
> > Here's my task:
> > I need to create a setup where sysA and sysB can have the same network
> > configuration, (ie. IP Address and Gateway) and be NATted to an
> > internet address.
> >
> > This would require:
> > eth0 to be set to 10.11.11.7
> > eth1 and eth2 to be set to 192.168.0.1
> > sysA and sysB to be set to 192.168.0.2
> > sysA NATted to 10.11.11.4
> > sysB NATted to 10.11.11.5
> >
> > I'm also open to other possible suggestions....only requirement: sysA
> > and sysB must have the same IP Address and gateway address. Also
> > prefer to stay away from MAC Address dependant schemes.
>
> First of all, what the hell do You want this for...?
>
> Anyways, here we go:
>
> You will have to decide on the interface name how to route and NAT
> Your packets. So You will use iptables rules like this:
>
> Packets arriving on eth1 will be SNATted to 10.11.11.4 an then be
> forwarded out via eth0 (I assume that this is what You want).
> - Same goes for traffic from sysB. This direction, from sys{A,B} to
> the outside, was the simpler one.
>
> For the other way, things are a bit more complicated to achieve.
> You will have to decide on the destination address which NIC to use
> to deliver the packets (10.11.11.4 and .5, that is). Then, You will
> DNAT these packets accordingly. Have a look at www.lartc.org and others
> for how to do that.
>
>
> This does not sound like a good idea. Jack.


Thanks for the info, Jack.

You're right, terrible idea...but I do have a reason.

Image a classroom environment where all systems are Ghosted and built
before the class begins. Now imagine the Ghosted image contains a
brain-dead application that has issues with a changing IP/hostname
(WebSphere comes to mind, there are others.)

Now imagine being able to Ghost as many systems as you need behind
your handy-dandy linux router without modifying the systems when they
finish.

Now the big one...take it to the Virtual Machine realm where your
Ghost is merely a file copy.

Even if I get this to work, it's really only necessary when the
customer application can't be automated easily to handle an IP address
change. (Operative work being easily. I won't be doing the work.)

Thad