Overlaping subnets
- Using policy routing to handle overlaping subnets.[A] Senario:
Linux gateway (T1) with 3 Ethernet cards eth0,eth1,eth2.
10.0.0.1(plc1) <->eth1@T1 10.0.0.101/24
10.0.0.1(plc2) <->eth2@T1 10.0.0.102/24
192.168.3.155(xp)<->eth0:1@T1 192.168.3.201/24 (nat to eth1-plc1)
192.168.3.155(xp)<->eth0:2@T1 192.168.3.202/24 (nat to eth2-plc2)
The xp-pc need to be able to talk to both plc's through natted IP's.
e.g. xp(ping) [s192.168.3.155, d192.168.3.201]
-> T1-DnatPreRoute [s192.168.3.155, d10.0.0.1(eth1)]
-> T1-SnatPostRoute [s10.0.0.101, d10.0.0.1(eth1)]
<- and then reply from 10.0.0.1(plc1)1 # ---- Add Routing ------- 2 echo "1" > /proc/sys/net/ipv4/ip_forward 3 # ---- Misc tuning for testing -------- 4 echo "1" > /proc/sys/net/ipv4/conf/all/log_martians 5 # ---- Add interfaces ---- 6 ifconfig eth1 10.0.0.101 netmask 255.255.255.0 7 ifconfig eth2 10.0.0.102 netmask 255.255.255.0 8 ifconfig eth0:1 192.168.3.201 netmask 255.255.255.0 9 ifconfig eth0:2 192.168.3.202 netmask 255.255.255.0 10 # ---- Clear all Iptable Rules ---- 11 /sbin/iptables -t filter -F 12 /sbin/iptables -t nat -F 13 /sbin/iptables -t mangle -F 14 ip rule del fwmark 101 15 ip rule del fwmark 102 16 # -------------- route for eth0/eth1 - 192.168.3.201/10.0.0.1 -------------------- 17 /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.1 -m mark --mark 101 -j SNAT --to 192.168.3.201 18 /sbin/iptables -t nat -A PREROUTING -i eth0 -d 192.168.3.201 -m mark --mark 101 -j DNAT --to 10.0.0.1 19 #debug rule to see if above worked 20 /sbin/iptables -t nat -A PREROUTING -i eth0 -d 192.168.3.201 -j DNAT --to 10.0.0.1 21 # ------------------------------------------------------------------ 22 # -------------- route for eth0/eth2 - 192.168.3.202/10.0.0.1 -------------------- 23 /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.1 -m mark --mark 102 -j SNAT --to 192.168.3.202 24 /sbin/iptables -t nat -A PREROUTING -i eth0 -d 192.168.3.202 -m mark --mark 102 -j DNAT --to 10.0.0.1 25 /sbin/iptables -t nat -A PREROUTING -i eth0 -d 192.168.3.202 -j DNAT --to 10.0.0.1 26 # ------------------------------------------------------------------ 27 # -------------- route for eth0/eth3 - 192.168.3.203/192.168.0.1 -------------------- 28 /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.1 -m mark --mark 103 -j SNAT --to 192.168.3.203 29 /sbin/iptables -t nat -I PREROUTING -i eth0 -d 192.168.3.203 -m mark --mark 103 -j DNAT --to 192.168.0.1 30 /sbin/iptables -t nat -I PREROUTING -i eth0 -d 192.168.3.203 -j DNAT --to 192.168.0.1 31 # ------------------------------------------------------------------ 32 # -------------- route for eth0/eth4 - 192.168.3.204/192.168.0.1 -------------------- 33 /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.1 -o eth0 -m mark --mark 104 -j SNAT --to 192.168.3.204 34 /sbin/iptables -t nat -I PREROUTING -i eth0 -d 192.168.3.204 -j DNAT --to 192.168.0.1 35 # ------------------------------------------------------------------ 36 #----------------------------------------------------------- 37 /sbin/iptables -t mangle -A PREROUTING -d 192.168.3.201 -i eth0 -j CONNMARK --set-mark 101 38 /sbin/iptables -t mangle -A PREROUTING -i eth1 -j CONNMARK --set-mark 101 39 /sbin/iptables -t mangle -A INPUT -i eth1 -j CONNMARK --set-mark 101 40 /sbin/iptables -t mangle -A PREROUTING -d 192.168.3.202 -i eth0 -j CONNMARK --set-mark 102 41 /sbin/iptables -t mangle -A PREROUTING -i eth2 -j CONNMARK --set-mark 102 42 /sbin/iptables -t mangle -A INPUT -i eth2 -j CONNMARK --set-mark 102 43 /sbin/iptables -t mangle -A PREROUTING -d 192.168.3.203 -i eth0 -j CONNMARK --set-mark 103 44 /sbin/iptables -t mangle -A PREROUTING -i eth3 -j CONNMARK --set-mark 103 45 /sbin/iptables -t mangle -A PREROUTING -d 192.168.3.204 -i eth0 -j CONNMARK --set-mark 104 46 /sbin/iptables -t mangle -A PREROUTING -i eth4 -j CONNMARK --set-mark 104 47 /sbin/iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark 48 /sbin/iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark 49 #-------------Setup routing tables ------------ 50 ip route add 10.0.0.0/24 dev eth1 src 10.0.0.101 table 101 51 ip route add 192.168.3.0/24 dev eth0 table 101 52 ip route add default via 192.168.3.150 dev eth0 table 101 53 ip route add 10.0.0.0/24 dev eth2 src 10.0.0.102 table 102 54 ip route add 192.168.3.0/24 dev eth0 table 102 55 ip route add default via 192.168.3.150 dev eth0 table 102 56 # 101=0x65 102=0x66 57 ip rule add fwmark 101 table 101 58 ip rule add fwmark 102 table 102 59 #---------------------------------------------------------- 60 /sbin/iptables -A FORWARD -i eth1 -p ICMP -j LOG --log-prefix "FW:eth1-in-icmp " 61 /sbin/iptables -A FORWARD -o eth1 -p ICMP -j LOG --log-prefix "FW:eth1-out-icmp " 62 /sbin/iptables -A FORWARD -i eth2 -p ICMP -j LOG --log-prefix "FW:eth2-in-icmp " 63 /sbin/iptables -A INPUT -i eth2 -p ICMP -j LOG --log-prefix "FW:eth2-INPUT-icmp " 64 /sbin/iptables -A FORWARD -o eth2 -p ICMP -j LOG --log-prefix "FW:eth2-out-icmp " 65 /sbin/iptables -A FORWARD -p ICMP -j LOG --log-prefix "FW: not filtered" 66 /sbin/iptables -A FORWARD -p ICMP -j ACCEPT 67 /sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 10.0.0.101 68 /sbin/iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 10.0.0.102 69 # --------------Zero all counts. -------------------------- 70 /sbin/iptables -t nat -Z 71 /sbin/iptables -t mangle -Z 72 # 73 # ----- Final Adjust ------ 74 # 75 sysctl net.ipv4.conf.all.rp_filter=0 76 sysctl net.ipv4.conf.default.rp_filter=0 77 sysctl net.ipv4.conf.eth1.rp_filter=0 78 sysctl net.ipv4.conf.eth2.rp_filter=0
...