iptables (changing source address)

rickthemick · 11-02-2004, 12:46 AM

Hi all!
I want to change the source of all outgoing packets on port 5000 to 0.0.0.0 (even though my NIC is configured with an correct IP address). Whats the way to do it? Best would be if I could do it from within my application (written in C). My solution now is iptables:

iptables -t nat -A POSTROUTING -p udp -dport 5000 -j SNAT --to 0.0.0.0

But the problem with the above line is that it only seems to change packets addressed to the broadcast address (255.255.255.255) which seems very odd to me? Can anyone see why??? I want unicast packets to be changed too...

Best regards
Rick

ugge · 11-02-2004, 06:32 AM

Are you shure that no other rule in POSTROUTE chain or any other chain send the packet to another terminal target (stopping the check)?
Walk through all chains, rules and policies using this schema: http://iptables-tutorial.frozentux.n...ERSINGOFTABLES

You can also let iptables show the hit count for every rule and policy to see if the packets reach the proper targets.

Code:

iptables -v -n -L

and

Code:

iptables -v -n -t nat -L

rickthemick · 11-03-2004, 03:02 AM

hi!
All chains is empty and all chains has the policy to ACCEPT, I have also done
iptables -t {nat, mangle, filter} -F
and then
iptables -t nat -A POSTROUTING -p udp --dport 5000 -j SNAT --to 0.0.0.0

I have found out that it seems that if the first UDP packet is a broadcast the source will be set to 0.0.0.0 but it also causes the other packets to not hit my NAT-rule, which seems to be strange to me???

If I let the first packet also be unicast, that packet and the following packets will get their source set to 0.0.0.0??? (but I want the first packet to be broadcast)

/Rickard

rickthemick · 11-03-2004, 03:11 AM

...wrote something that was wrong here so I removed by editing the post...

ugge · 11-03-2004, 08:08 AM

Are the packets following the first broadcast part of the same UDP connection?
In that case it could be the connection tracking fooling us.

rickthemick · 11-03-2004, 11:40 AM

The packets are using the same source and destination port. But for me UDP is connection less, but I guess you mean connection in some other sense?

Chapter 3.3 NAT table, from:
http://iptables-tutorial.frozentux.n...-tutorial.html
says:

Quote:

Note that, as we have said before, only the first packet in a stream will hit this chain. After this, the rest of the packets will automatically have the same action taken on them as the first packet.

But to me this says that it should indeed work and also the unicast packets should get the src set to 0.0.0.0!?

/Rick

rickthemick · 11-04-2004, 03:59 AM

-> Is there any other way around this problem to set the source address to 0.0.0.0? (How does DHCP accomplish this?)
-> Any iptables gurus how can see whats going wrong for me?

Any help are appreciated!

/Rickard

ugge · 11-04-2004, 08:29 AM

Just a question: Why would you like to do that?
The IP address 0.0.0.0 is by my knowledge no valid IP, but for the use of default route.

rickthemick · 11-04-2004, 01:45 PM

I'm trying to do quite similiar thing that DHCP does. More specifically I'm testing how to implement a Mobile IPv4 prototype, and this requires a visting node to talk to a foreign agent (FA) on a foreign network to get its FA-COA (Care-Of-Address).

The FA will for example not receive any packets if it has the source of the mobile nodes home address, which could be anything. So, if I set it to 0.0.0.0, the FA will accept the packet (e.g the first broadcast - solicitation), and then reply with a advertisement.

So again, I need to set the source to 0.0.0.0, or is there any other and better solution to get the nodes to communicate? I would feel terriable to have to give up on this now...

ugge · 11-04-2004, 01:51 PM

But broadcast would be 255.255.255.255, or?

rickthemick · 11-05-2004, 01:32 AM

Yes, I broadcast to 255.255.255.255, why?
A link local broadcast (e.g 10.0.3.255) is not enough since the receiving host (FA) is on another subnet!

ugge · 11-05-2004, 06:37 AM

So you let the FA-COA forward the request to your FA?
Why then use IP 0.0.0.0 and not 255.255.255.255?
I'm not completely sure I follow. I still think that IP 0.0.0.0 is not a valid IP to use. What would be the netmask you use with that IP?
If I have understood it right, then I think that forwarding to IP 255.255.255.255 instead of 0.0.0.0 would be the way to go.

rickthemick · 11-05-2004, 07:43 AM

Quote:

So you let the FA-COA forward the request to your FA?

FA-COA is a IP address. More specifically is the address of the global interface of the FA which is assigned to each visting mobile node (MN), so the HA knows where to put its tunnel end point.

Quote:

Why then use IP 0.0.0.0 and not 255.255.255.255?

I hope you mean as source address. I don't really see the difference and I believe setting the source to 0.0.0.0 is ok since DHCP also does this.

Quote:

I'm not completely sure I follow. I still think that IP 0.0.0.0 is not a valid IP to use. What would be the netmask you use with that IP?

I think that there is nothing like a netmask in a IPv4 packet of what I know. The receiving host that gets a packet with src 0.0.0.0 will accept it if the destination address is 255.255.255.255, this fact is used by DHCP and I use it now.

Quote:

If I have understood it right, then I think that forwarding to IP 255.255.255.255 instead of 0.0.0.0 would be the way to go.

Yes, I have never wanted to send packets to 0.0.0.0, my wish has been to set the source to 0.0.0.0.

The whole thing seems to work now in my implemention, I dont really know why, which doesnt feel 100% ok... but anyway I get the source to 0.0.0.0 and MIPv4 is up and running! Thanks for you time and interest in this thread. I will discussed it more if there are more responds, but my problems seems to be solved for now.

I think there should be I library for doing iptables stuff from within an application, is that correct? Any tutorials, tips? (using the system("iptables...") is quite ugly, isnt it?