IP address block shifting

Hello!

I have a server connected to 2 networks which overlap in IPv4 address space.
So I need to translate e.g. [10.4.x.y] on eth2 to [10.244.x.y] on internal server's representaion.
"iptables -j SNAT" unable to do this because it's only applicable to POSTROUTING,
not to any incoming packets.
May be "ip route add nat" could do so, but I always get "connect: Invalid argument"
when (locally) use a translated address, even after "ip rule add ... nat ...".
Also there is a rumour that "ip route add nat" considered as obsolete.

Is there some way to shift an IP address block on some given interface?
Of course, I can modify kernel sources.



--
qq~~~~\ [ úá IP âåú ãåîúõòù ]
/ /\ \ [ inCTV News ]
\ /_/ /
\____/

Innocenti Maresin wrote:

> I have a server connected to 2 networks which overlap in IPv4 address space.
> So I need to translate e.g. [10.4.x.y] on eth2 to [10.244.x.y] on internal server's
> representaion.

Can you explain what you mean? You are using terms in strange ways. For
example, what does "overlap" mean? And what is an "internal server's
representation"?

DS

OK, both networks use 10.0.0.0/8 (RFC1918) for their private IPs.
Common server software can't distinguish between
"[10.0.0.1] at network A" and "[10.0.0.1] at network B" client connections.
I need to move at least one IPv4 block to some another location
so a service process could think that reads from (sends to) remote address [10.(ó+z).x.y]
when packets really go from/to [10.z.x.y] on some interface. (C is constant)

Ipfilter NAT (-j SNAT etc.) is inadequate.

So named FastNAT (ip route add nat) is obscure and seems not to work in this case even on Linux 2.4.
With appropriate "ip rule add" the kernel does not allow to use natted addresses (Invalid argument),
without "ip rule add" all packets are silently discarded.



--
qq~~~~\ [ úá IP âåú ãåîúõòù ]
/ /\ \ [ inCTV News ]
\ /_/ /
\____/

Of course, I can connect two (and even more) networks with this so famous Linux
But the task is not to connect.
I need a SERVER which could operate with both networks.
Grant, do you understand what the word SERVER means?
It's not a router, it's not a "bridge", not a some kind of gateway.
Some idiots thought that the only way to use 2 networks on 1 box is to "connect".
Probably, some ot these idiots took part in Linux kernel design,
and now the kernel rejects the *local* use of NATted IPs.
Nevertheless, it became well known that Linux is the world's greatest network OS.

But there are another tasks, for example to SERVE these networks.
Could Linux kernel do it?


--
qq~~~~\ [ úá IP âåú ãåîúõòù ]
/ /\ \ [ inCTV News ]
\ /_/ /
\____/

On Sat, 12 Aug 2006 07:48:58 +0000, Innocenti Maresin <(E-Mail Removed)> wrote:

>OK, both networks use 10.0.0.0/8 (RFC1918) for their private IPs.
>Common server software can't distinguish between
>"[10.0.0.1] at network A" and "[10.0.0.1] at network B" client connections.

iproute2 seems like the missing piece for you here, logically
connects networks by making the box a bridge, I've not used it,
it scales.

You can connect two networks with a few iptables rules, but the
method doesn't scale.

Grant.
--
http://bugsplatter.mine.nu/

Innocenti Maresin <(E-Mail Removed)> writes:

>OK, both networks use 10.0.0.0/8 (RFC1918) for their private IPs.
>Common server software can't distinguish between
>"[10.0.0.1] at network A" and "[10.0.0.1] at network B" client connections.
>I need to move at least one IPv4 block to some another location
>so a service process could think that reads from (sends to) remote address [10.(ó+z).x.y]
>when packets really go from/to [10.z.x.y] on some interface. (C is constant)

You cannot. all 10.x.x.x will be thrown away at the first external router they meet.
Those are private addresses.

You can have your routers do NAT but that is only worthwhile for outdoing
stuff. For incoming stuff you need to do something like port forwarding.


>Ipfilter NAT (-j SNAT etc.) is inadequate.

>So named FastNAT (ip route add nat) is obscure and seems not to work in this case even on Linux 2.4.
>With appropriate "ip rule add" the kernel does not allow to use natted addresses (Invalid argument),
>without "ip rule add" all packets are silently discarded.



>--
>qq~~~~\ [ úá IP âåú ãåîúõòù ]
>/ /\ \ [ inCTV News ]
>\ /_/ /
> \____/

Innocenti Maresin <(E-Mail Removed)> writes:

>Of course, I can connect two (and even more) networks with this so famous Linux
>But the task is not to connect.
>I need a SERVER which could operate with both networks.
>Grant, do you understand what the word SERVER means?
>It's not a router, it's not a "bridge", not a some kind of gateway.
>Some idiots thought that the only way to use 2 networks on 1 box is to "connect".
>Probably, some ot these idiots took part in Linux kernel design,
>and now the kernel rejects the *local* use of NATted IPs.
>Nevertheless, it became well known that Linux is the world's greatest network OS.

That is because the people who designed linux understood how the network
operates, which you do not. You imagine how the world should operate and
rail against it when it does not follow your preconceptions, rather than
learning how it actually does operate.

Why should anyone want to help you with your attitude?


>But there are another tasks, for example to SERVE these networks.
>Could Linux kernel do it?

A kernel is augmented by all kinds of programs. Yes, any linux distribution
can link networks together. NO, NO linux, or any other operating system can
route from a 10.x.x.x net to another 10.x.x.x net through the public
network.

Now if you told us what you are trying to do instead of complaining about
why things do not work as you think they should, someone might be able to
help you.




>--
>qq~~~~\ [ úá IP âåú ãåîúõòù ]
>/ /\ \ [ inCTV News ]
>\ /_/ /
> \____/

Unruh wrote:

> That is because the people who designed linux understood how the network
> operates, which you do not. You imagine how the world should operate and
> rail against it when it does not follow your preconceptions, rather than
> learning how it actually does operate.

> You cannot. all 10.x.x.x will be thrown away at the first external router they meet.
> Those are private addresses.

I see this newsgroup populated by creators of "bridges"
and masters of "external routers".
These routing guru, followers of iproute2 doctrine,
can't realize what means so simple things as "service" and "inbound traffic".
Maybe a host using two networks both with its own private IPs is impossible
in your goddamn Canada, but here it's possible and common.



--
qq~~~~\ [ úá IP âåú ãåîúõòù ]
/ /\ \ [ inCTV News ]
\ /_/ /
\____/

On Sat, 12 Aug 2006 20:07:45 +0000, Innocenti Maresin <(E-Mail Removed)> wrote:

>Unruh wrote:
>
>> That is because the people who designed linux understood how the network
>> operates, which you do not. You imagine how the world should operate and
>> rail against it when it does not follow your preconceptions, rather than
>> learning how it actually does operate.
>
>> You cannot. all 10.x.x.x will be thrown away at the first external router they meet.
>> Those are private addresses.
>
>I see this newsgroup populated by creators of "bridges"
>and masters of "external routers".
>These routing guru, followers of iproute2 doctrine,
>can't realize what means so simple things as "service" and "inbound traffic".
>Maybe a host using two networks both with its own private IPs is impossible
>in your goddamn Canada, but here it's possible and common.

Hey come on now -- I wrote other day it's trivial to link a couple
localnet segments in iptables, but the method doesn't scale. Have
a look at the first few FORWARD rules of:

<http://bugsplatter.mine.nu/junkview/iptables-save>

Current firewall ruleset, and note how the localnet segments are
combined for egress to the Internet via SNAT. Works for me

Grant.
--
http://bugsplatter.mine.nu/

Innocenti Maresin wrote:

>
>
> Unruh wrote:
>
>> That is because the people who designed linux understood how the network
>> operates, which you do not. You imagine how the world should operate and
>> rail against it when it does not follow your preconceptions, rather than
>> learning how it actually does operate.
>
>> You cannot. all 10.x.x.x will be thrown away at the first external router
>> they meet. Those are private addresses.
>
> I see this newsgroup populated by creators of "bridges"
> and masters of "external routers".
> These routing guru, followers of iproute2 doctrine,
> can't realize what means so simple things as "service" and "inbound
> traffic". Maybe a host using two networks both with its own private IPs is
> impossible in your goddamn Canada, but here it's possible and common.
>
>
>

Depends upon what the two 10.x.x.x network addresses are.
I have two networks that have private addresses (192.168.1.0/24 and
192.168.15.0/24). They go out through "Linux gateway router" then onto a
linksys router that Nats them out to the inet.

Upon reading what you wanted to do, I could not grok it.

--
Dancin' in the ruins tonight
mail: echo onub-(E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
Tayo'y Mga Pinoy