LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-03-2014, 10:08 AM   #1
pciccone
LQ Newbie
 
Registered: Nov 2014
Posts: 5

Rep: Reputation: Disabled
Route a /24 public subnet to another /24 public subnet


In the next few weeks we will be doing a massive (physical) migration from one public /24 subnet to another public /24 subnet. We will have to update various settings, DNS, firewall entries, etc over 100 servers and related load balancers and appliances. During this time as we update systems we would like it if the old IP pool can forward (masquerade?) to the new IP pool, all ports, in a one-to-one mapping. For example:

Source IP: 8.8.8.1 (all ports)
Target IP 9.9.9.1

Source IP: 8.8.8.2 (all ports)
Target IP: 9.9.9.2

We will have to build a small, disposable, Linux server to do this. We will have a WAN IP, with associated gateway assigned to the NIC. Then I assume we need to somehow program this /24 subnet to route over that WAN IP and perform the forwarding. Is this something easy to accomplish?

Thanks ahead of time for your help, and spending the time to read this post!

Phil
 
Old 11-04-2014, 05:45 AM   #2
malekmustaq
Senior Member
 
Registered: Dec 2008
Location: root
Distribution: Slackware & BSD
Posts: 1,669

Rep: Reputation: 498Reputation: 498Reputation: 498Reputation: 498Reputation: 498
Quote:
"In the next few weeks we will be doing a massive (physical) migration from one public /24 subnet to another public /24 subnet. "
Do you mean you are not merely moving from one Subnet to another Subnet but you are physically moving the servers also?

One subnet to another can be done mathematically. That's easily accomplished by scripts and in few cups of coffee. Otherwise please be more specific.
 
Old 11-04-2014, 07:18 AM   #3
pciccone
LQ Newbie
 
Registered: Nov 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
That is correct, this is a physical move. So, what will happen is traffic will hit IP 8.8.8.1 and then get redirected back out the same gateway to 9.9.9.1 which is routable over the Internet.
 
Old 11-05-2014, 09:51 AM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
It it certainly possible to set up static 1-to-1 NAT using a Linux-based router.

For this to work, all return traffic must be directed back through the same NAT gateway, so you'll either have to perform both source and destination NAT on all packets, or set up a tunnel of some kind between the Linux router and a second router at the new site, and (temporarily) route outbound traffic from the servers through that tunnel.
 
Old 11-05-2014, 09:53 AM   #5
pciccone
LQ Newbie
 
Registered: Nov 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
It it certainly possible to set up static 1-to-1 NAT using a Linux-based router.

For this to work, all return traffic must be directed back through the same NAT gateway, so you'll either have to perform both source and destination NAT on all packets, or set up a tunnel of some kind between the Linux router and a second router at the new site, and (temporarily) route outbound traffic from the servers through that tunnel.
Would that still need to be done, for say something like this (I would need 254 IPs assigned to the box and this command 254 times, I guess):

iptables -t nat -A OUTPUT -p all -d 1.1.1.1 -j DNAT --to-destination 2.2.2.2
iptables -t nat -A POSTROUTING -p all -j MASQUERADE
 
Old 11-05-2014, 10:15 AM   #6
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
Quote:
Originally Posted by pciccone View Post
Would that still need to be done, for say something like this (I would need 254 IPs assigned to the box and this command 254 times, I guess):

iptables -t nat -A OUTPUT -p all -d 1.1.1.1 -j DNAT --to-destination 2.2.2.2
iptables -t nat -A POSTROUTING -p all -j MASQUERADE
Here you're doing destination NAT in the OUTPUT chain, and that only affects locally generated traffic. For packets being routed, use the FORWARD chain. Combined with the source NAT overloading you're doing in the POSTROUTING chain, it ought to work.

I would strongly recommend testing the setup on an otherwise unused IP address before going ahead with the move.
 
Old 11-05-2014, 10:45 AM   #7
pciccone
LQ Newbie
 
Registered: Nov 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
Here you're doing destination NAT in the OUTPUT chain, and that only affects locally generated traffic. For packets being routed, use the FORWARD chain. Combined with the source NAT overloading you're doing in the POSTROUTING chain, it ought to work.

I would strongly recommend testing the setup on an otherwise unused IP address before going ahead with the move.
Could this work using the FORWARD chain and not DNAT?
iptables -A FORWARD -s 8.8.8.0/24 -d 9.9.9.0/24 -j ACCEPT

The other idea I had was:
iptables -A FORWARD -d 9.9.9.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -d 8.8.8.1 -j DNAT --to-destination 9.9.9.1
iptables -t nat -A POSTROUTING -j MASQUERADE
 
Old 11-05-2014, 02:08 PM   #8
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
Quote:
Originally Posted by pciccone View Post
Could this work using the FORWARD chain and not DNAT?
iptables -A FORWARD -s 8.8.8.0/24 -d 9.9.9.0/24 -j ACCEPT

The other idea I had was:
iptables -A FORWARD -d 9.9.9.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -d 8.8.8.1 -j DNAT --to-destination 9.9.9.1
iptables -t nat -A POSTROUTING -j MASQUERADE
Sorry, I made a mistake in my previous post. I meant to say that you should use the PREROUTING chain instead of the OUTPUT chain to perform destination NAT. The FORWARD chain exists in the filter table, not the nat table, and is of course used to permit traffic as you wrote above.

In other words: the above setup should work.
 
Old 11-05-2014, 03:50 PM   #9
pciccone
LQ Newbie
 
Registered: Nov 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
OK, I had posted alot of "ideas" just want to make sure I use the best bet. So, to sum it all up.... Do I have this right? Please adjust if needed:

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p all -d 8.8.8.1 -j DNAT --to-destination 9.9.9.1
iptables -t nat -A PREROUTING -p all -d 8.8.8.2 -j DNAT --to-destination 9.9.9.2
etc... Then: iptables -t nat -A POSTROUTING -p all -j MASQUERADE
iptables-save >/etc/sysconfig/iptables
service iptables restart
 
Old 11-07-2014, 07:52 PM   #10
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348

Rep: Reputation: Disabled
That looks about right. The last two commands are obviously distribution-specific, but the iptables commands will take care of destination and source NAT.

A NAT setup like this may cause issues with application traffic that contain references to the IP address of either endpoint, such as FTP, SIP and IPsec. This is not a problem specific to your setup; quite a few application protocols require "helper modules" in NAT routers. The most common protocols, such as HTTP(S)and SMTP, will work fine. The same goes for almost all other TCP and UDP based protocols.

BTW, the 254 destination nat commands can be auto-generated by a loop quite easily:
Code:
for (( i=1; i<255 ; i++ )); do iptables -t nat -A PREROUTING -p all -d 8.8.8.$i -j DNAT --to-destination 9.9.9.$i
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Translating public subnet over GRE to remote location opti2k4 Linux - Networking 1 10-17-2013 02:56 AM
Setting up a second subnet for public wifi - mostly working, just nitpicking psycroptic Linux - Networking 2 09-18-2012 10:22 PM
[SOLVED] Forward public IP to local IP - can't ping host in public IP subnet raczkowski1 Linux - Networking 2 03-25-2012 11:17 AM
How To Configure KVM with a Public IP Address Network that is on a Different subnet moe007 Linux - Virtualization and Cloud 5 09-13-2011 02:56 PM
Possible? 1 public subnet/1 private; 1 host: traffic out the way it came in? JMCraig Linux - Networking 8 10-17-2005 08:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration