LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-02-2004, 01:46 AM   #1
rickthemick
Member
 
Registered: Aug 2003
Location: Sweden
Distribution: Debian
Posts: 52

Rep: Reputation: 15
iptables (changing source address)


Hi all!
I want to change the source of all outgoing packets on port 5000 to 0.0.0.0 (even though my NIC is configured with an correct IP address). Whats the way to do it? Best would be if I could do it from within my application (written in C). My solution now is iptables:

iptables -t nat -A POSTROUTING -p udp -dport 5000 -j SNAT --to 0.0.0.0

But the problem with the above line is that it only seems to change packets addressed to the broadcast address (255.255.255.255) which seems very odd to me? Can anyone see why??? I want unicast packets to be changed too...

Best regards
Rick
 
Old 11-02-2004, 07:32 AM   #2
ugge
Senior Member
 
Registered: Dec 2000
Location: Gothenburg, SWEDEN
Distribution: OpenSUSE 10.3
Posts: 1,028

Rep: Reputation: 45
Are you shure that no other rule in POSTROUTE chain or any other chain send the packet to another terminal target (stopping the check)?
Walk through all chains, rules and policies using this schema: http://iptables-tutorial.frozentux.n...ERSINGOFTABLES

You can also let iptables show the hit count for every rule and policy to see if the packets reach the proper targets.
Code:
iptables -v -n -L
and
Code:
iptables -v -n -t nat -L
 
Old 11-03-2004, 04:02 AM   #3
rickthemick
Member
 
Registered: Aug 2003
Location: Sweden
Distribution: Debian
Posts: 52

Original Poster
Rep: Reputation: 15
hi!
All chains is empty and all chains has the policy to ACCEPT, I have also done
iptables -t {nat, mangle, filter} -F
and then
iptables -t nat -A POSTROUTING -p udp --dport 5000 -j SNAT --to 0.0.0.0

I have found out that it seems that if the first UDP packet is a broadcast the source will be set to 0.0.0.0 but it also causes the other packets to not hit my NAT-rule, which seems to be strange to me???

If I let the first packet also be unicast, that packet and the following packets will get their source set to 0.0.0.0??? (but I want the first packet to be broadcast)

/Rickard

Last edited by rickthemick; 11-03-2004 at 06:51 AM.
 
Old 11-03-2004, 04:11 AM   #4
rickthemick
Member
 
Registered: Aug 2003
Location: Sweden
Distribution: Debian
Posts: 52

Original Poster
Rep: Reputation: 15
...wrote something that was wrong here so I removed by editing the post...

Last edited by rickthemick; 11-03-2004 at 06:51 AM.
 
Old 11-03-2004, 09:08 AM   #5
ugge
Senior Member
 
Registered: Dec 2000
Location: Gothenburg, SWEDEN
Distribution: OpenSUSE 10.3
Posts: 1,028

Rep: Reputation: 45
Are the packets following the first broadcast part of the same UDP connection?
In that case it could be the connection tracking fooling us.
 
Old 11-03-2004, 12:40 PM   #6
rickthemick
Member
 
Registered: Aug 2003
Location: Sweden
Distribution: Debian
Posts: 52

Original Poster
Rep: Reputation: 15
The packets are using the same source and destination port. But for me UDP is connection less, but I guess you mean connection in some other sense?

Chapter 3.3 NAT table, from:
http://iptables-tutorial.frozentux.n...-tutorial.html
says:

Quote:
Note that, as we have said before, only the first packet in a stream will hit this chain. After this, the rest of the packets will automatically have the same action taken on them as the first packet.
But to me this says that it should indeed work and also the unicast packets should get the src set to 0.0.0.0!?

/Rick

Last edited by rickthemick; 11-03-2004 at 12:58 PM.
 
Old 11-04-2004, 04:59 AM   #7
rickthemick
Member
 
Registered: Aug 2003
Location: Sweden
Distribution: Debian
Posts: 52

Original Poster
Rep: Reputation: 15
-> Is there any other way around this problem to set the source address to 0.0.0.0? (How does DHCP accomplish this?)
-> Any iptables gurus how can see whats going wrong for me?

Any help are appreciated!

/Rickard
 
Old 11-04-2004, 09:29 AM   #8
ugge
Senior Member
 
Registered: Dec 2000
Location: Gothenburg, SWEDEN
Distribution: OpenSUSE 10.3
Posts: 1,028

Rep: Reputation: 45
Just a question: Why would you like to do that?
The IP address 0.0.0.0 is by my knowledge no valid IP, but for the use of default route.
 
Old 11-04-2004, 02:45 PM   #9
rickthemick
Member
 
Registered: Aug 2003
Location: Sweden
Distribution: Debian
Posts: 52

Original Poster
Rep: Reputation: 15
I'm trying to do quite similiar thing that DHCP does. More specifically I'm testing how to implement a Mobile IPv4 prototype, and this requires a visting node to talk to a foreign agent (FA) on a foreign network to get its FA-COA (Care-Of-Address).

The FA will for example not receive any packets if it has the source of the mobile nodes home address, which could be anything. So, if I set it to 0.0.0.0, the FA will accept the packet (e.g the first broadcast - solicitation), and then reply with a advertisement.

So again, I need to set the source to 0.0.0.0, or is there any other and better solution to get the nodes to communicate? I would feel terriable to have to give up on this now...
 
Old 11-04-2004, 02:51 PM   #10
ugge
Senior Member
 
Registered: Dec 2000
Location: Gothenburg, SWEDEN
Distribution: OpenSUSE 10.3
Posts: 1,028

Rep: Reputation: 45
But broadcast would be 255.255.255.255, or?
 
Old 11-05-2004, 02:32 AM   #11
rickthemick
Member
 
Registered: Aug 2003
Location: Sweden
Distribution: Debian
Posts: 52

Original Poster
Rep: Reputation: 15
Yes, I broadcast to 255.255.255.255, why?
A link local broadcast (e.g 10.0.3.255) is not enough since the receiving host (FA) is on another subnet!
 
Old 11-05-2004, 07:37 AM   #12
ugge
Senior Member
 
Registered: Dec 2000
Location: Gothenburg, SWEDEN
Distribution: OpenSUSE 10.3
Posts: 1,028

Rep: Reputation: 45
So you let the FA-COA forward the request to your FA?
Why then use IP 0.0.0.0 and not 255.255.255.255?
I'm not completely sure I follow. I still think that IP 0.0.0.0 is not a valid IP to use. What would be the netmask you use with that IP?
If I have understood it right, then I think that forwarding to IP 255.255.255.255 instead of 0.0.0.0 would be the way to go.
 
Old 11-05-2004, 08:43 AM   #13
rickthemick
Member
 
Registered: Aug 2003
Location: Sweden
Distribution: Debian
Posts: 52

Original Poster
Rep: Reputation: 15
Quote:
So you let the FA-COA forward the request to your FA?
FA-COA is a IP address. More specifically is the address of the global interface of the FA which is assigned to each visting mobile node (MN), so the HA knows where to put its tunnel end point.

Quote:
Why then use IP 0.0.0.0 and not 255.255.255.255?
I hope you mean as source address. I don't really see the difference and I believe setting the source to 0.0.0.0 is ok since DHCP also does this.

Quote:
I'm not completely sure I follow. I still think that IP 0.0.0.0 is not a valid IP to use. What would be the netmask you use with that IP?
I think that there is nothing like a netmask in a IPv4 packet of what I know. The receiving host that gets a packet with src 0.0.0.0 will accept it if the destination address is 255.255.255.255, this fact is used by DHCP and I use it now.

Quote:
If I have understood it right, then I think that forwarding to IP 255.255.255.255 instead of 0.0.0.0 would be the way to go.
Yes, I have never wanted to send packets to 0.0.0.0, my wish has been to set the source to 0.0.0.0.

The whole thing seems to work now in my implemention, I dont really know why, which doesnt feel 100% ok... but anyway I get the source to 0.0.0.0 and MIPv4 is up and running! Thanks for you time and interest in this thread. I will discussed it more if there are more responds, but my problems seems to be solved for now.

I think there should be I library for doing iptables stuff from within an application, is that correct? Any tutorials, tips? (using the system("iptables...") is quite ugly, isnt it?

Last edited by rickthemick; 11-05-2004 at 08:44 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Changing sendmail source address looseCannon AIX 4 06-30-2005 08:13 AM
problem to print source address and destination address jooboo Programming 2 11-26-2003 04:24 PM
Changing the ip address saravanan1979 Linux - Software 1 01-28-2002 05:19 AM
Should i use the eth0 ip address of my internet ip address when applying iptables ForumKid Linux - Security 2 01-03-2002 09:54 AM
How would i log the source MAC address w/ iptables? phek Linux - Security 12 12-14-2001 01:18 PM


All times are GMT -5. The time now is 03:51 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration