Introduction
Like many small companies we are typical in our use of RFC1918. addressing. Specifically the 192.168.0.0/16 range. Because we needed some untrusted network access, as a security precaution I made the dubious decision to use overlapping address ranges that deliberately clashed with our own corporate network use to make it especially hard for someone to hack our main network if the untrusted network were compromised.
Unfortunately those untrusted networks have become increasingly more and more important and developers at our company needed use them. This became a problem because access was limited to a few physical locations. Now you know the reasons why I went through all this rigamarole, here's how I accomplished it.
This mini-howto is for 2.4 kernels and ip netfilter. All the examples were
tested on a 2.4.18 kernel.
The Situation
Network 1
192.168.150.0 (Corporate)
--------------/-------------------------
Network 2
192.168.150.0 (Untrusted Network)First Attempt: Single NAT
On my first try I simply used a third intermediate network which was routed to network 1 and connected the NAT box in-between.
Network 1
192.168.150.0 (Corp)
|
Router
|
Network 2
192.168.180.0 (Intermediate)
|
NAT BOX |
eth0 192.168.180.180
eth1 192.168.150.180
|
Network 3 |
192.168.150.0 (Untrusted Network)Using a combination of Destination NAT mappings and a Source NAT remapping, this was a partial success. I could access all the stuff on Network 3 from any network that WASN'T network 1. Why ? Localhost routing policy on the NAT box.
The local routing policy on a normal linux system is usually:
- Directly Connected Interfaces
- Static Routes
- Default Routes
In that order. So since I was directly connected to 192.168.150.0 there was no way for the NAT box to talk to Network 1 since it was technically already directly connected to it, or at least it's doppleganger. I'm sure there's some way to overcome this using Alexey's ip util but I did not look into this further.
Second Attempt: Double NAT
Double NAT is one of those unholy things that makes network administrators cringe. Their bones crackle and sinews twist as they think of the nasty things that a) NAT does and b) Double NAT does doubly. It's a hack, but when you have a situation where you have two subnets that are the same addressing that wish to communicate, it's a useful hack because it allows you to de-couple them into separate address space.
Network 1
192.168.150.0 (Corp)
|
Network 2 |
192.168.180.0 (Intermediate)
|
NAT BOX 1 |
eth0 192.168.180.180
eth1 10.15.15.1
|
NAT BOX 2 |
eth0 10.15.15.2
eth1 192.168.150.252
|
Newtwork 3 |
192.168.150.0 (Untrusted Network)Yeah, like I said it's pretty satanic. So first step, host preparation.
Rusty's Really Quick Guide To Packet Filtering Copied:
I will assume you've used Rusty's really quick guide to packet filtering and you already have 2 systems prepared for NAT. Check the Packet Filtering FAQ for more details.
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2434 219K block all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
11657 5137K block all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 2514 packets, 217214 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- any any anywhere anywhere state INVALID文章整理:西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!
