I'm sure that if I could make a decent job of explaining what I mean I could Google for this but...
My PC is (say) 192.168.1.10, and it can access a remote device (192.168.2.100) via a VPN.
What I want to do is give my PC an extra IP address (eg 192.168.1.11) and map all network traffic to that IP address (on any port, and including broadcast traffic) to 192.168.2.100, and send any responses back.
In doing so, any other PC on my LAN would be able to access the remote device as if it were local (192.168.1.11).
Can I do this?
(Background: In this case I have some brain-dead Windows configuration software that can only talk to devices on the LAN, so I need to make the remote device appear as if it were on the LAN. However I have had similar challenges in the past where using a local Linux box as a conduit to remote devices would have been useful.)
If relevant, whilst 192.168.2.100 is not a Linux PC (it's an industrial I/O unit), I do have a Linux PC on the remote network that could form part of the tunnel if required. The key point is that I need the remote unit to appear to be on the local network, not just to be accessible from it. My Windows PC can ping (etc) the remote unit fine via the VPN itself, but the configuration software will only search for and work with devices on 192.168.1.0/24, so I need to fake it.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
If it's just for this thing then you could simply set up an ssh tunnel on your PC.
ssh -N -L 0.0.0.0:8888:127.0.0.1:1234 user@192.168.2.100
Something like that would map port 8888 on your PC to port 1234 of the remote box.
Though that requires the remote thing to be running ssh. If it isn't, you could socat. My socat-fu is weak and it's been a while since I've used it but possibly something like:
socat TCP-LISTEN:8888 TCP:192.168.2.100:1234
Steve
On 26/05, Mark Rogers wrote:
I'm sure that if I could make a decent job of explaining what I mean I could Google for this but...
My PC is (say) 192.168.1.10, and it can access a remote device (192.168.2.100) via a VPN.
What I want to do is give my PC an extra IP address (eg 192.168.1.11) and map all network traffic to that IP address (on any port, and including broadcast traffic) to 192.168.2.100, and send any responses back.
In doing so, any other PC on my LAN would be able to access the remote device as if it were local (192.168.1.11).
Can I do this?
(Background: In this case I have some brain-dead Windows configuration software that can only talk to devices on the LAN, so I need to make the remote device appear as if it were on the LAN. However I have had similar challenges in the past where using a local Linux box as a conduit to remote devices would have been useful.)
If relevant, whilst 192.168.2.100 is not a Linux PC (it's an industrial I/O unit), I do have a Linux PC on the remote network that could form part of the tunnel if required. The key point is that I need the remote unit to appear to be on the local network, not just to be accessible from it. My Windows PC can ping (etc) the remote unit fine via the VPN itself, but the configuration software will only search for and work with devices on 192.168.1.0/24, so I need to fake it.
-- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0844 251 1450 Registered in England (0456 0902) 21 Drakes Mews, Milton Keynes, MK8 0ER
main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!
On 2015-05-26 12:17, Mark Rogers wrote:
I'm sure that if I could make a decent job of explaining what I mean I could Google for this but...
My PC is (say) 192.168.1.10, and it can access a remote device (192.168.2.100) via a VPN.
What I want to do is give my PC an extra IP address (eg 192.168.1.11) and map all network traffic to that IP address (on any port, and including broadcast traffic) to 192.168.2.100, and send any responses back.
It sounds like what you'll need to create is a DNAT on your linux machine. That will require a couple of things to be set up. I'm doing this from memory, so I'd recommend reading up on your distributions forums how to implement NAT forwarding as well, since I may have missed things or suggest something that will get undone automatically for you :)
1) you'll need to add the fixed IP address that you want to listen on to your linux machine. Temporarily that can be done by saying "ip addr add 192.168.1.11/24 dev eth0" assuming your network interface is named eth0 and you're on a 24-bit subnet (that is to say your subnet mask is 255.255.255.0). You should do this the way your Linux Distribution recommends to make it permanent (for Debian/Ubuntu/Mint it'll be set in /etc/network/interfaces, for RedHat/CentOS/Scientific Linux it'll be a configuration in /etc/sysconfig/network-scripts etc)
2) You'll need to enable IP Forwarding - either in /etc/sysctl.conf, or as is recommended in modern distributions a file in /etc/sysctl.d/*.conf, you want to enter the following: "net.ipv4.ip_forward = 1" and apply that by running "sysctl -p"
3) You should add the NAT rules to your netfilter (IPTables) ruleset, and save the rules (in RedHat/Centos this is a simple "service iptables save", in debian/ubuntu/mint you'll need to look at using something like the iptables-persistent package). The rules you need will look something like the following:
iptables -t nat -A PREROUTING -d 192.168.1.11 -j DNAT --to-destination 192.168.2.100 iptables -t nat -A POSTROUTING -s 192.168.2.100 -j SNAT --to-destination 192.168.1.11
Once you have the rules in place, you should see all traffic on that secondary address being NAT'd to the remote host across your VPN.
Hope that at least points you in the right direction. A good (albeit slightly dated) grounding in IPTables and networking can be found in the Linux Advanced Routing and Traffic Control HOWTO at http://www.lartc.org, also the Linux-IP documentation site at http://linux-ip.net has lots of relevant information and examples.
Regards,
Jim
On 26 May 2015 at 12:56, Jim Rippon jim@rippon.me.uk wrote:
It sounds like what you'll need to create is a DNAT on your linux machine. That will require a couple of things to be set up. I'm doing this from memory, so I'd recommend reading up on your distributions forums how to implement NAT forwarding as well, since I may have missed things or suggest something that will get undone automatically for you :)
Thanks for this and sorry for the tardy response.
I tried the commands as you wrote them, which were all accepted except: iptables -t nat -A POSTROUTING -s 192.168.2.100 -j SNAT --to-destination 192.168.1.11 .. which I had to change to: iptables -t nat -A POSTROUTING -s 192.168.2.100 -j SNAT --to 192.168.1.11
But I couldn't get it to actually work. I spent a while with Google before I received a call from the people who wrote the Windows software who gave me an alternative workaround, so the original need went away.
I'd still like to get this working though. In order that I can research this more fruitfully, what's the technical term for what I am actually trying to do? Is "creating a DNAT" sufficient or is that too broad?
A good (albeit slightly dated) grounding in IPTables and networking can be found in the Linux Advanced Routing and Traffic Control HOWTO at http://www.lartc.org, also the Linux-IP documentation site at http://linux-ip.net has lots of relevant information and examples.
I will spend some time here too, thanks.
-
Jim Rippon -
Mark Rogers -
Steve Engledow