iptables: fake ip using DNAT and SNAT

Is it possible to do the following with iptables:

Computer A runs iptables, and communicates with B. What I want is to
manipulate the IP address of B (using iptables at A), so that the
applications running on computer A only see a "fake" addres for B.

The job should not be difficult. When packets arrive at A matching B's
real ip address, replace source addres with the fake one. Whe packets
originating at A with the fake ip as destination address, replace it
with B's real address. (a simple one-to-one mapping).

The problem: SNAT (source address manipulation) is only performed in the
POSTROUTING chain, and DNAT (destination address manipulation) is only
performed in the PREROUTING chain. I guess what I want is the opposite?


Thanks for any help!

On 2006-04-03, Bjørnar Libæk <(E-Mail Removed)> wrote:
> Computer A runs iptables, and communicates with B. What I want is to
> manipulate the IP address of B (using iptables at A), so that the
> applications running on computer A only see a "fake" addres for B.

Ok, this is your solution, now explain your problem.

Davide

--
"I can't decide whether to commit suicide or go bowling."
-- Florence Henderson

Davide Bianchi wrote:

(...)

> Ok, this is your solution, now explain your problem.


If you must know I'm using hamachi (http://www.hamachi.cc) to connect
computers to a "virtual lan". Hamachi assigns IP address out of the
5.0.0.0/8 address pool, but I want the computers in my virtual LAN to
have addresses in the same clas C subnet (because my application
requires it). The windows client for hamachi has an "aliasing" feature,
where you can map ip addresses and get the functionality I explained in
the previous post. The linux client doesn't have this feature, but I've
read in the hamachi discussion forum that iptables will probably do the
trick.
(http://forums.hamachi.cc/viewtopic.p...=aliasing+txt).
However, I've not yet seen the exact rules!!

Now, please get back to the topic

On Mon, 03 Apr 2006 10:41:59 +0200, Bjørnar Libæk <(E-Mail Removed)> wrote:

>5.0.0.0/8 address pool, but I want the computers in my virtual LAN to

Non-allocated IPs should not be used for anything.

You have all of 10.0.0.0/8 to play in.

Grant.
--
Memento mori ( remember that you must die... )

Grant wrote:
> On Mon, 03 Apr 2006 10:41:59 +0200, Bjørnar Libæk <(E-Mail Removed)> wrote:
>
>
>>5.0.0.0/8 address pool, but I want the computers in my virtual LAN to
>
>
> Non-allocated IPs should not be used for anything.
>
> You have all of 10.0.0.0/8 to play in.

Please direct your frustration to the hamachi developers, then To
their defence, hamachi *is* tunneling, and the 5.0.0.0 addresses are not
routed in the Internet. Bet you didn't know that

On 2006-04-03, Bjørnar Libæk <(E-Mail Removed)> wrote:
> If you must know I'm using hamachi (http://www.hamachi.cc) to connect
> computers to a "virtual lan". Hamachi assigns IP address out of the
> 5.0.0.0/8 address pool


Ah-ehmmm... so, with about a dozen different VPN solutions, you are using
one that is broken... I mean, every VPN product I've seen so far allow you
to use whichever IP subnet/class you want for your VPN, this is the only
one I heard of that require HIS OWN fixed-unmutable ip class...

> have addresses in the same clas C subnet (because my application
> requires it). The windows client for hamachi has an "aliasing" feature,
> where you can map ip addresses and get the functionality I explained in
> the previous post. The linux client doesn't have this feature

Well, you could "fake it" by aliasing the IP you want to a network interface
and then force the routing throught the vpn link. As long as the machine
recognise the IP as his own and know how to route the packets it should be
ok. But the question remains: why try to fix something that is obviously
broken using workaround instead of using something that is not broken?

Davide

--
Oh, wow! Look at the moon!

Davide Bianchi wrote:

(...)

> Ah-ehmmm... so, with about a dozen different VPN solutions, you are using
> one that is broken... I mean, every VPN product I've seen so far allow you
> to use whichever IP subnet/class you want for your VPN, this is the only
> one I heard of that require HIS OWN fixed-unmutable ip class...

I agree, it would be nice to have the possibility to choose the address
range. The reason why I've chosen hamachi is the simple
"zero-configuration vpn" aswell as allowing secure p2p communication.
And it's free. No need to set up a vpn server, as there is a centralised
server hosted by hamachi. I'm sure we could have a long discussion on
whether this is a good solution or not, but please spare me I should
also mention that the linux version is 0.9.9.9, so classifying it as
"broken" may be unfair.

(...)


> But the question remains: why try to fix something that is obviously
> broken using workaround instead of using something that is not broken?

Well, if you could point me to some alternative solution, I'd be
gratefull, but it should be as easy to setup as hamachi. I don't think
you can

Davide Bianchi wrote:

(...)

> Well, you could "fake it" by aliasing the IP you want to a network interface
> and then force the routing throught the vpn link. As long as the machine
> recognise the IP as his own and know how to route the packets it should be
> ok.

Thanks, but I'm not sure what you mean. By "aliasing the the IP" to a
network interface, you mean at computer B? This is not an option.
Computer B (and all other peers) should not be aware of the aliasing.
Maybe I totally missunderstand what you're saying..

At computer A, there is a virtual interface ham0, which is the tunnel
endpoint.

On 2006-04-03, Bjørnar Libæk <(E-Mail Removed)> wrote:
> Thanks, but I'm not sure what you mean. By "aliasing the the IP" to a
> network interface, you mean at computer B? This is not an option.
> Computer B (and all other peers) should not be aware of the aliasing.
> Maybe I totally missunderstand what you're saying..

Hummm... then I don't see how you could trick one in thinking that the
others has a different IP without telling to the others. Even if you can
mangle the ip table the machine that is supposed to receive the packets
will discard them or route them away because it won't recognize them
as 'his own'. But maybe someone else has a different idea.

Davide

--
All this wheeling and dealing around, why, it isn't for money, it's for
fun. Money's just the way we keep score.

On 2006-04-03, Bjørnar Libæk <(E-Mail Removed)> wrote:
> also mention that the linux version is 0.9.9.9, so classifying it as
> "broken" may be unfair.

In my world, everything that doesn't do what I want, they way I want,
is classified as "does not work" (addition: "for me").

> Well, if you could point me to some alternative solution, I'd be
> gratefull, but it should be as easy to setup as hamachi. I don't think
> you can

Well... it all boils down to what you mean for "easy". I had no trouble
in setting up OpenVPN, or Freeswan or Cipe... but if hamachi is so good
for you...

Maybe you should ask their developers. Frankly, I can't see how mangling
iptable could fix your problem. I hope (for you) that someone could prove
me wrong.

Davide

--
This life is a test. It is only a test. Had this been an actual life,
you would have received further instructions as to what to do and where
to go.