Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-03-2014, 10:08 AM
|
#1
|
LQ Newbie
Registered: Nov 2014
Posts: 5
Rep:
|
Route a /24 public subnet to another /24 public subnet
In the next few weeks we will be doing a massive (physical) migration from one public /24 subnet to another public /24 subnet. We will have to update various settings, DNS, firewall entries, etc over 100 servers and related load balancers and appliances. During this time as we update systems we would like it if the old IP pool can forward (masquerade?) to the new IP pool, all ports, in a one-to-one mapping. For example:
Source IP: 8.8.8.1 (all ports)
Target IP 9.9.9.1
Source IP: 8.8.8.2 (all ports)
Target IP: 9.9.9.2
We will have to build a small, disposable, Linux server to do this. We will have a WAN IP, with associated gateway assigned to the NIC. Then I assume we need to somehow program this /24 subnet to route over that WAN IP and perform the forwarding. Is this something easy to accomplish?
Thanks ahead of time for your help, and spending the time to read this post!
Phil
|
|
|
11-04-2014, 05:45 AM
|
#2
|
Senior Member
Registered: Dec 2008
Location: root
Distribution: Slackware & BSD
Posts: 1,669
|
Quote:
"In the next few weeks we will be doing a massive (physical) migration from one public /24 subnet to another public /24 subnet. "
|
Do you mean you are not merely moving from one Subnet to another Subnet but you are physically moving the servers also?
One subnet to another can be done mathematically. That's easily accomplished by scripts and in few cups of coffee. Otherwise please be more specific.
|
|
|
11-04-2014, 07:18 AM
|
#3
|
LQ Newbie
Registered: Nov 2014
Posts: 5
Original Poster
Rep:
|
That is correct, this is a physical move. So, what will happen is traffic will hit IP 8.8.8.1 and then get redirected back out the same gateway to 9.9.9.1 which is routable over the Internet.
|
|
|
11-05-2014, 09:51 AM
|
#4
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
It it certainly possible to set up static 1-to-1 NAT using a Linux-based router.
For this to work, all return traffic must be directed back through the same NAT gateway, so you'll either have to perform both source and destination NAT on all packets, or set up a tunnel of some kind between the Linux router and a second router at the new site, and (temporarily) route outbound traffic from the servers through that tunnel.
|
|
|
11-05-2014, 09:53 AM
|
#5
|
LQ Newbie
Registered: Nov 2014
Posts: 5
Original Poster
Rep:
|
Quote:
Originally Posted by Ser Olmy
It it certainly possible to set up static 1-to-1 NAT using a Linux-based router.
For this to work, all return traffic must be directed back through the same NAT gateway, so you'll either have to perform both source and destination NAT on all packets, or set up a tunnel of some kind between the Linux router and a second router at the new site, and (temporarily) route outbound traffic from the servers through that tunnel.
|
Would that still need to be done, for say something like this (I would need 254 IPs assigned to the box and this command 254 times, I guess):
iptables -t nat -A OUTPUT -p all -d 1.1.1.1 -j DNAT --to-destination 2.2.2.2
iptables -t nat -A POSTROUTING -p all -j MASQUERADE
|
|
|
11-05-2014, 10:15 AM
|
#6
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
Quote:
Originally Posted by pciccone
Would that still need to be done, for say something like this (I would need 254 IPs assigned to the box and this command 254 times, I guess):
iptables -t nat -A OUTPUT -p all -d 1.1.1.1 -j DNAT --to-destination 2.2.2.2
iptables -t nat -A POSTROUTING -p all -j MASQUERADE
|
Here you're doing destination NAT in the OUTPUT chain, and that only affects locally generated traffic. For packets being routed, use the FORWARD chain. Combined with the source NAT overloading you're doing in the POSTROUTING chain, it ought to work.
I would strongly recommend testing the setup on an otherwise unused IP address before going ahead with the move.
|
|
|
11-05-2014, 10:45 AM
|
#7
|
LQ Newbie
Registered: Nov 2014
Posts: 5
Original Poster
Rep:
|
Quote:
Originally Posted by Ser Olmy
Here you're doing destination NAT in the OUTPUT chain, and that only affects locally generated traffic. For packets being routed, use the FORWARD chain. Combined with the source NAT overloading you're doing in the POSTROUTING chain, it ought to work.
I would strongly recommend testing the setup on an otherwise unused IP address before going ahead with the move.
|
Could this work using the FORWARD chain and not DNAT?
iptables -A FORWARD -s 8.8.8.0/24 -d 9.9.9.0/24 -j ACCEPT
The other idea I had was:
iptables -A FORWARD -d 9.9.9.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -d 8.8.8.1 -j DNAT --to-destination 9.9.9.1
iptables -t nat -A POSTROUTING -j MASQUERADE
|
|
|
11-05-2014, 02:08 PM
|
#8
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
Quote:
Originally Posted by pciccone
Could this work using the FORWARD chain and not DNAT?
iptables -A FORWARD -s 8.8.8.0/24 -d 9.9.9.0/24 -j ACCEPT
The other idea I had was:
iptables -A FORWARD -d 9.9.9.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -d 8.8.8.1 -j DNAT --to-destination 9.9.9.1
iptables -t nat -A POSTROUTING -j MASQUERADE
|
Sorry, I made a mistake in my previous post. I meant to say that you should use the PREROUTING chain instead of the OUTPUT chain to perform destination NAT. The FORWARD chain exists in the filter table, not the nat table, and is of course used to permit traffic as you wrote above.
In other words: the above setup should work.
|
|
|
11-05-2014, 03:50 PM
|
#9
|
LQ Newbie
Registered: Nov 2014
Posts: 5
Original Poster
Rep:
|
OK, I had posted alot of "ideas" just want to make sure I use the best bet. So, to sum it all up.... Do I have this right? Please adjust if needed:
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p all -d 8.8.8.1 -j DNAT --to-destination 9.9.9.1
iptables -t nat -A PREROUTING -p all -d 8.8.8.2 -j DNAT --to-destination 9.9.9.2
etc... Then: iptables -t nat -A POSTROUTING -p all -j MASQUERADE
iptables-save >/etc/sysconfig/iptables
service iptables restart
|
|
|
11-07-2014, 07:52 PM
|
#10
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
That looks about right. The last two commands are obviously distribution-specific, but the iptables commands will take care of destination and source NAT.
A NAT setup like this may cause issues with application traffic that contain references to the IP address of either endpoint, such as FTP, SIP and IPsec. This is not a problem specific to your setup; quite a few application protocols require "helper modules" in NAT routers. The most common protocols, such as HTTP(S)and SMTP, will work fine. The same goes for almost all other TCP and UDP based protocols.
BTW, the 254 destination nat commands can be auto-generated by a loop quite easily:
Code:
for (( i=1; i<255 ; i++ )); do iptables -t nat -A PREROUTING -p all -d 8.8.8.$i -j DNAT --to-destination 9.9.9.$i
|
|
|
All times are GMT -5. The time now is 12:21 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|