Tuesday, 22 June 2010

Networks Are Smart!

It's been a long time since my last post, life sometimes lead people to unexpected situations...

But now I am back for a while...

These days I am working on developing a firewall module based on netfilter/iptables. To test my module I tried to prepare a test environment containing three linux machines (both on the same local network). My test scenario is something like that:
  • Machine A: Client machine
  • Machine B: The machine where my module works
  • Machine C: Server machine
I declared B as default gateway for C on A as:

route add -net C netmask 255.255.255.0 gw B dev eth0

And make necessary configuration on B as:

/proc/sys/net/ipv4/ip_forward
/etc/sysctl.conf -- net.ipv4.ip_forward = 1
/etc/sysconfig/network -- FORWARD_IPV4=true

Everything seems perfect but when I observe the routing of packets from A to C, I observed that after the transmission of the first packet, A detects that both A and C are on the same local network, so it bypasses B (the gateway).

I tried to find a solution by Googling but couldn't find a suitable one, so began to read documentations and found out a solution using ip masquerading. On machine B make the following configuration:

iptables -t nat -A POSTROUTING -d C -o eth0 -j MASQUERADE

And everything works as desired (each packet from A to C routed through B)