NAT to a broadcast addess using iptables?

Hi,

I'm an iptables newbie. I have a busybox router that uses iptables
1.2.8. (Sorry if I have the wrong ng, but this seems to be where the
iptables gurus are!) I have a requirement to be able to send a packet
across the internet and have it natted and forwarded to a directed
broadcast address on the internal lan, e.g. UDP 213.1.2.3:9 -->
10.1.2.255/24:9. I've added the PREROUTING and FORWARDING rules which
nat and foward to the broadcast address but a sniffer shows the packet
not arriving. If I change both rules to a specific host (e.g.
10.1.2.1), it works fine. Is what I'm trying to do possible? (Yes, I
know it's insane, but is it possible!?)

TIA

Hello,

news@mail.adsl4less.com a écrit :
>
> I'm an iptables newbie. I have a busybox router that uses iptables
> 1.2.8. (Sorry if I have the wrong ng, but this seems to be where the
> iptables gurus are!)

Oh, so you're looking for iptables gurus... then don't bother to read my
reply.

> I have a requirement to be able to send a packet
> across the internet and have it natted and forwarded to a directed
> broadcast address on the internal lan, e.g. UDP 213.1.2.3:9 -->
> 10.1.2.255/24:9. I've added the PREROUTING and FORWARDING rules which
> nat and foward to the broadcast address but a sniffer shows the packet
> not arriving. If I change both rules to a specific host (e.g.
> 10.1.2.1), it works fine. Is what I'm trying to do possible?

Netfilter/iptables itself does not care whether an IP addresse is a
broadcast or unicast address (which can cause trouble with connection
tracking). But in the Linux kernel IP stack, the DNAT operation in the
PREROUTING chain takes place before the input routing decision is taken.
So the input routing algorithm receives a packet with a broadcast
destination address, but it won't forward such packets. Broadcast
packets can only be sent or received locally, not forwarded.

> (Yes, I know it's insane, but is it possible!?)

I'm afraid it is not possible to do this with iptables. Is your goal to
do some kind of remote wake-on-LAN ?

Pascal Hambourg wrote:
> Hello,
>
> news@mail.adsl4less.com a écrit :
>
> Oh, so you're looking for iptables gurus... then don't bother to read my
> reply.

LOL

>
> Netfilter/iptables itself does not care whether an IP addresse is a
> broadcast or unicast address (which can cause trouble with connection
> tracking). But in the Linux kernel IP stack, the DNAT operation in the
> PREROUTING chain takes place before the input routing decision is taken.
> So the input routing algorithm receives a packet with a broadcast
> destination address, but it won't forward such packets. Broadcast
> packets can only be sent or received locally, not forwarded.
>
> > (Yes, I know it's insane, but is it possible!?)
>
> I'm afraid it is not possible to do this with iptables. Is your goal to
> do some kind of remote wake-on-LAN ?

Indeed it is - exactly that.

news@mail.adsl4less.com a écrit :
>>
>>I'm afraid it is not possible to do this with iptables. Is your goal to
>>do some kind of remote wake-on-LAN ?
>
> Indeed it is - exactly that.

The problem with sending unicast packets to a sleeping host is ARP
resolution. If your router supports the 'arp' or 'ip' commands, you
could try to add a static ARP entry for your target IP address on the
router :

$ arp -s <target_ip_addr> <target_mac_addr>

or

$ ip neigh add <target_ip_addr> lladdr <target_mac_addr> dev <lan_iface>

Pascal Hambourg wrote:
>
> The problem with sending unicast packets to a sleeping host is ARP
> resolution. If your router supports the 'arp' or 'ip' commands, you
> could try to add a static ARP entry for your target IP address on the
> router :
>
> $ arp -s <target_ip_addr> <target_mac_addr>
>
> or
>
> $ ip neigh add <target_ip_addr> lladdr <target_mac_addr> dev <lan_iface>

But, the magic packet can be sent to either the mac address of the
target or the broadcast ethernet address. As I planned for the latter,
I didn't think that ARP resolution is a problem. Hovever, if I
understand you correctly, there's no way to configure the router to
allow the directed subnet broadcast, so you're saying that I'd have to
direct a packet to a specific IP address and use a static arp entry to
force the packet to go to a specific mac address?

news@mail.adsl4less.com a écrit :
>
> But, the magic packet can be sent to either the mac address of the
> target or the broadcast ethernet address. As I planned for the latter,
> I didn't think that ARP resolution is a problem.

Correct. This is the advantage of the IP directed broadcast address
which is translated into the ethernet broadcast address without ARP
resolution.

> Hovever, if I
> understand you correctly, there's no way to configure the router to
> allow the directed subnet broadcast,

Indeed, I'm afraid no.

> so you're saying that I'd have to
> direct a packet to a specific IP address and use a static arp entry to
> force the packet to go to a specific mac address?

Yes. You could also set the static ARP entry so that the chosen unicast
IP address resolves into the broadcast ethernet address.

Pascal Hambourg wrote:
>
> Yes. You could also set the static ARP entry so that the chosen unicast
> IP address resolves into the broadcast ethernet address.
A very cunning plan indeed! I'll give it a go. Many thanks.