3

I have the following setup:

  • My Lan is 10.56.8.0/23
  • I have a gateway with internet access(INETIP-A) and the LAN IP 10.56.9.1
  • I have another gateway with internet access(INETIP-B) and the LAN IP 10.56.9.15
  • I have a PC used as default gateway for every host on the network with the IP 10.56.9.5. I want to do all my changes here.

The default internet connection is via 10.56.9.15 (it's faster), but I only have control over 10.56.9.1, so for some specific hosts this should be the route. To achieve this in a general way, I set up 10.56.9.5 as a router establishing 10.56.9.15 as default GW and adding specific routes for the hosts that need to be accessed via 10.56.9.1.

I now need to open access from the internet to a host VNC server. I have this problem.

  • I forward 5900 port on 10.56.9.1 to the VNC server
  • Some internet host A tries to connect to 10.56.9.1 external interface (INETIP-A), port 5900
  • The VNC server has as default GW 10.56.9.5, which also has as default GW 10.56.9.15, so the answer to the connection gets routed back via 10.56.9.15 external interface (INETIP-B).
  • When the answer package reaches its destination (the internet host A) it's discarded because it's coming from a different host than intended (INETIP-B instead of INETIP-A)

Is there a way to route back packets through a specific gateway without declaring the source ip and without making any specific setup on the end hosts (only on routers and gateways)?

Savaj
  • 31
  • 2

1 Answers1

2

Yes you can, depending on your gateways ability to allow the configuration.

You setup a NAT rule on the gateway to mangle the source address of the VNC traffic to a local gateway ip address on the way in (or more specifically in linux, on the way out of your internal interface).

It's good to use an alias ip address (or pool of them) on the gw interface so you can identify and separate the mangled traffic from normal. Set aside an address or subnet that is in the local address space, but treated like an external address trust wise, say 10.56.9.254

Also logging before the NAT is useful so you can identify where traffic really came from as your VNC box will now see a local internal address for all connections.

When the traffic get's to VNC it see's a local source address that will always be routed back where ever you assigned it (the nat gw the traffic originated from) then the traffic will go back out the way it came in and be de-mangled on the way out.

In linux world, the address and nat rule will look like: 

ip address add 10.56.9.254 dev intnic0
iptables -t nat -A POSTROUTING -o intnic0 -p tcp --destination 10.56.9.vnc --dport 5900 -j SNAT --to 10.56.9.254

You can do the same on the other GW with another IP, say 253 and then you can connect via either.

If you step through the connection process this is essentially what your NAT is doing on the way out from your internal network. Modifying the source IP, sending the packets on and mapping them back when the packets come back. You just want to do it for a specific connection and the opposite direction which is where gateway config comes in. Does it let you configure what it is capable of?

edit: you could implement the same NAT rules on the default GW 10.56.9.5 if you route the VNC traffic in via 10.56.9.5 and can identify the internet gw the data came from. Maybe via marking the packets on the way through the gateways or into into the default gw where you can still tell where the packets came from.

Matt
  • 1,559
  • 8
  • 11