[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    using NAT to change the DESTINATION addr of packets (instead of source)
From:       "Gilles Boccon-Gibod" <gilles () axiomatic ! tv>
Date:       2001-09-24 23:20:52
[Download RAW message or body]

I'm trying to use IPF/NAT to rewrite the destination addr of packets as they
go out one interface. I can get this to work with 'rdr', but I need to
rewrite addrs for all packets, not just specific ports (like an rdr for an
whole host, or whole subnet), and I thought that 'bimap' could do that, but
it's not working for me.
Specifically, what I'm trying to do is the following:

I have 2 subnets, A and B connected by an IPSEC tunnel. The tunnel works
fine.
The problem is that the 2 subnets have the same addr range (which I cannot
change). They are both 192.168.1.x
I want to tell the gateway A to rewrite the destination addr of packets as
they go through the ipsec tunnel (gif0) such that packets for destination
192.168.2.x get rewritten as destination 192.168.1.x
This way, my hosts on the A side can talk to hosts on the B side as if they
were 192.168.2.x

the 'map' rule only changes the source addr of packets, so that won't work.

If I use 'rdr' with a rule like this on gateway A:
rdr dc0 192.168.2.2/32 port 23 -> 192.168.1.2 port 23

then it works (only if the 'rdr' is done on the incoming ethernet interface
dc0, not on the outgoing interface gif0), I can telnet from a host on subnet
A to addr 192.168.2.2, which will end up connecting to addr 192.168.1.2 on
subnet B
But I need to do this for all ports, and all hosts in 192.168.2.x, so 'rdr'
won't do.
I tried 'bimap' with the following:
bimap gif0 192.168.2.2/32 -> 192.168.1.2/32

or even on the incoming ethernet interface:
bimap dc0 192.168.2.2/32 -> 192.168.1.2/32

but packets don't seem to get re-writtent that way (tcpdump shows packets
through the tunnel still having a destination of 192.168.2.2)

How can I achieve this "host remapping" with IPF ?
Or maybe there is a better "trick" to make my 2 subnets talk to each other
even though they have the same addresses ?

Any help would be most welcome.

-- Gilles Boccon-Gibod

[prev in list] [next in list] [prev in thread] [next in thread]