source NAT / masquerading on a dedicated server

On Sep 14, 3:38 pm, Allen Kistler <ackist... RemoveThis @oohay.moc> wrote:
> neune... RemoveThis @yahoo.fr wrote:
....
> > Now I want to do something more complicated...
>
> > I am renting a dedicated Linux server, at a fixed public IP, say at
> > IP 213.186.33.33 (just an example, it's not its real IP) which host,
> > amongst other things, my company's website / webapp.
>
> > I now want to access the Internet from my iMac while having the
> > trafic to appear to come from the dedicated server I'm renting.
>
> > How should I go about setting up such a scheme?
>
> Do you mean you want the traffic to go through the public server? Or
> you just want the iMac to have its address natted to a server at another
> site?

I guess the later but I'm not sure I understand the difference between
the two.

I'd like to have the dedicated Linux server I'm renting do to my iMac
what
my home Linux system is currently doing: any traffic emitted from my
iMac
appears to come from my home Linux machine. That home Linux machine,
because it is setup to do SNAT/masquerading, knows how to correctly
re-route incoming packet to the iMac.

So I'd like to set the public IP of the dedicated Linux server I'm
renting as
the router for the iMac.

Would a route like the following be doable on the iMac:

213.168.33.33 10.0.0.39 0.0.0.0 UG 0
0 0 eth0
0.0.0.0 213.168.33.33 0.0.0.0 UG 0
0 0 eth0


So that any traffic from the iMac to the Internet passes through
the Linux dedicated server (at 213.168.33.33) but then I can tell how
packets from my iMac can first reach 213.168.33.33 (through 10.0.0.39,
which is my home Linux 'router').

Is this technically doable? And if not why not?


> For the first, another poster suggested a proxy. You could also set up
> a VPN using something like OpenVPN or OpenSWAN.
>
> For the second, which is how I read your question, it won't work.
> Internet routers won't know to route your return traffic back to you.
> They'll send it to the other site.

By "the other site", do you mean the Linux dedicated server?

Because I can configure that one to do SNAT/masquerading and so
traffic could be re-routed to my iMac?

For example if my DSL router gets the public IP 85.62.90.182, I was
planning to do the following on the dedicated Linux server:

iptables -t nat -I POSTROUTING -s 85.62.90.182 -d ! 213.168.33.33 -j
MASQUERADE


I hoped I could do the following :

- iMac wants to send a packet to the Internet
- iMac looks at his route and see he must use 213.168.33.33 as the
router
- iMac looks at this route and see that to reach 213.168.33.33 he must
pass through 10.0.0.39
- 10.0.0.39/85.62.90.182 SNAT iMac's packet and sends it to
213.168.33.33
- 213.168.33.33 SNAT the packet from 85.62.90.182
- 213.168.33.33 sends the reply back to 85.62.90.182
- 10.0.0.39/85.62.90.182 sends the packet back to the iMac

Thanks a lot for helping me figuring this out, I'm no network guru
and thought it was "easy" to do such a thing

On Sep 14, 3:38 pm, Allen Kistler <ackist....TakeThisOut@oohay.moc> wrote:
> neune....TakeThisOut@yahoo.fr wrote:
....
> > iptables -t nat -I POSTROUTING -s 10.0.0.51 -d ! 10.0.0.0/16 -j
> > MASQUERADE
>
> Why not just "-t nat -A POSTROUTING -o ppp0 -j MASQUERADE" ?

I don't know exactly but I've got several machines, some are
configured
to use 10.0.0.39 as the router, others aren't. For every local IP
that I want
my router to SNAT traffic for, I use such a rule...

iptables -t nat -I POSTROUTING -s 10.0.0.51 -d ! 10.0.0.0/16 -j
MASQUERADE
iptables -t nat -I POSTROUTING -s 10.0.0.54 -d ! 10.0.0.0/16 -j
MASQUERADE
iptables -t nat -I POSTROUTING -s 10.0.0.57 -d ! 10.0.0.0/16 -j
MASQUERADE

But 10.0.0.52 directly goes through the DSL router, etc.

It's working this way, I never looked into it :-/

neuneudr.TakeThisOut@yahoo.fr wrote:
> I've got a Linux system that masquerades trafic for
> several other machines on my LAN. That Linux system
> is connected to a home DSL router.
>
> That Linux system has a local IP of 10.0.0.39 and gets
> a dynamic public IP address.
>
> Then for every machine that I want to be source NATed,
> I do the following (example for an iMac at 10.0.0.51):
>
> iptables -t nat -I POSTROUTING -s 10.0.0.51 -d ! 10.0.0.0/16 -j
> MASQUERADE

Why not just "-t nat -A POSTROUTING -o ppp0 -j MASQUERADE" ?

> Then on the iMac, I configure 10.0.0.39 to be the router.
>
> This is working fine.
>
> Now I want to do something more complicated...
>
> I am renting a dedicated Linux server, at a fixed public IP, say at
> IP 213.186.33.33 (just an example, it's not its real IP) which host,
> amongst other things, my company's website / webapp.
>
> I now want to access the Internet from my iMac while having the
> trafic to appear to come from the dedicated server I'm renting.
>
> How should I go about setting up such a scheme?

Do you mean you want the traffic to go through the public server? Or
you just want the iMac to have its address natted to a server at another
site?

For the first, another poster suggested a proxy. You could also set up
a VPN using something like OpenVPN or OpenSWAN.

For the second, which is how I read your question, it won't work.
Internet routers won't know to route your return traffic back to you.
They'll send it to the other site.

On Sep 14, 7:40 pm, Allen Kistler <ackist....RemoveThis@oohay.moc> wrote:
....
> Every machine's router must be local, i.e., in the same subnet. Your
> iMac with an IP address of 10.something in your home cannot have a
> default router of 213.something at another site, at least not the way
> you describe.

Oh that's very interesting... I wasn't aware of that.

> What you're really describing is a VPN (virtual private network) tunnel
> between your iMac and your remote server. The tunnel would make it look
> like the iMac is connected directly to the remote server with a wire.
> Basically the VPN software creates additional virtual interfaces on each
> machine that transfer data only between them. You would set up the
> iMac's default route to be over the VPN, in which case the remote server
> can masquerade the iMac's virtual address.

Great!

Time to read on OpenVPN (and, yup, if I don't manage to do it myself I
happen
to know a local networking guru

Thanks a lot for your detailed explanation,

neuneudr.DeleteThis@yahoo.fr wrote:
> Allen Kistler wrote:
>>
>> [snip]
>>
>> For the first, another poster suggested a proxy. You could also set up
>> a VPN using something like OpenVPN or OpenSWAN.
>>
>> For the second, which is how I read your question, it won't work.
>> Internet routers won't know to route your return traffic back to you.
>> They'll send it to the other site.
>
> By "the other site", do you mean the Linux dedicated server?
>
> Because I can configure that one to do SNAT/masquerading and so
> traffic could be re-routed to my iMac?
>
> For example if my DSL router gets the public IP 85.62.90.182, I was
> planning to do the following on the dedicated Linux server:
>
> iptables -t nat -I POSTROUTING -s 85.62.90.182 -d ! 213.168.33.33 -j
> MASQUERADE
>
>
> I hoped I could do the following :
>
> - iMac wants to send a packet to the Internet
> - iMac looks at his route and see he must use 213.168.33.33 as the
> router
> - iMac looks at this route and see that to reach 213.168.33.33 he must
> pass through 10.0.0.39
> - 10.0.0.39/85.62.90.182 SNAT iMac's packet and sends it to
> 213.168.33.33
> - 213.168.33.33 SNAT the packet from 85.62.90.182
> - 213.168.33.33 sends the reply back to 85.62.90.182
> - 10.0.0.39/85.62.90.182 sends the packet back to the iMac
>
> Thanks a lot for helping me figuring this out, I'm no network guru
> and thought it was "easy" to do such a thing

Every machine's router must be local, i.e., in the same subnet. Your
iMac with an IP address of 10.something in your home cannot have a
default router of 213.something at another site, at least not the way
you describe.

What you're really describing is a VPN (virtual private network) tunnel
between your iMac and your remote server. The tunnel would make it look
like the iMac is connected directly to the remote server with a wire.
Basically the VPN software creates additional virtual interfaces on each
machine that transfer data only between them. You would set up the
iMac's default route to be over the VPN, in which case the remote server
can masquerade the iMac's virtual address.

It's not especially hard to set up a VPN, but it's not especially easy,
either. You probably should find someone knowledgeable and local whom
you trust to log in to each box and set it up for you, assuming you
still really want to do it.

Hello,

neuneudr DeleteThis @yahoo.fr a écrit :
> On Sep 14, 7:40 pm, Allen Kistler <ackist... DeleteThis @oohay.moc> wrote:
> ...
>> Every machine's router must be local, i.e., in the same subnet. Your
>> iMac with an IP address of 10.something in your home cannot have a
>> default router of 213.something at another site, at least not the way
>> you describe.
>
> Oh that's very interesting... I wasn't aware of that.

This is because we mostly use quite inadequate designations such as
"gateway" or "router". The most correct designation would be "next hop",
which makes it obvious that it must be a directly reachable neighbour
(otherwise it would require a next hop, and would not be a next hop itself).