# iptables : How to change the destination of the trafic ?

## d2_racing

Hi guys,  at work, I have to use a RSA Token on Windows XP and since I hate Win.... and I work inside a corporate network, so I need your advise on that :

I would like to build a WinXP Virtualbox on my Gentoo and I would like to change all my output trafic from my Gentoo box to that Virtualbox so that I can acces the network that require a RSA Checkpoint Token thrue the WM?

One of my friends knows how to make a WinXP bridge, but on my Gentoo box, basically do I need to use IPtables so that all of my output trafic pass thrue that VM ? 

How can I do that and also is this the right method ?

Do I need to use prerouting or postrouting or something else ?

My ip is 192.168.1.14 on my Gentoo box 

The WM ip is 192.168.1.19

I tought that maybe I could change the default gateway inside my Gentoo box but I'm not sure if it's enough or the right method ?

Anyone has an idea ?

Thanks !

----------

## Hu

I think we will need a bit more information.  To be sure I understand the topology, you currently use a Windows machine running on bare metal, but wish to switch and use a Gentoo machine on bare metal and have that Gentoo serve as a host with a VirtualBox guest of Windows, correct?  Further, you believe that the network will refuse to serve your Gentoo machine, but that the Windows guest will still be authenticated in such a way that it can use the network.  Therefore, you want the Gentoo machine to route all its traffic to the Windows guest, which will then forward it as authenticated traffic that the network will allow.

If my summary is correct, my first thought would be to check whether the network does in fact refuse service to the Gentoo machine.  I have no reason to believe it will or will not work, but the effort required to achieve the setup you describe is such that I would hate to do it unnecessarily.

If you do need to employ this setup, I would create two virtual NICs, tap0 and tap1.  Structure it such that eth0 is not configured by Gentoo and is instead bridged to tap0.  Set your Linux default route to go through tap1.  Configure Windows such that tap0 is considered a WAN connection and tap1 is a private LAN between Linux and Windows.  You can then use the Windows routing functionality to NAT Linux traffic so that it appears to come from the Windows machine.

----------

## d2_racing

 *Hu wrote:*   

> I think we will need a bit more information.  To be sure I understand the topology, you currently use a Windows machine running on bare metal, but wish to switch and use a Gentoo machine on bare metal and have that Gentoo serve as a host with a VirtualBox guest of Windows, correct?.

 

Yes, one portion of my corporate network use a RSA checkpoint security, and since it's proprio, my Gentoo doesn't have the crediancial to access that portition.

----------

## d2_racing

 *Hu wrote:*   

> Further, you believe that the network will refuse to serve your Gentoo machine, but that the Windows guest will still be authenticated in such a way that it can use the network.  Therefore, you want the Gentoo machine to route all its traffic to the Windows guest, which will then forward it as authenticated traffic that the network will allow.
> 
> 

 

Yes, right now, my WinXP WM on my box have the checkpoint program and I can access the corporate network if I use that WM, but with my Gentoo box, I can't as you already know.

----------

## BradN

edit:  slow post, you might want to disregard some of this in favor of above

I haven't messed with iptables in a long time, and don't know much about virtualized network connections, but some info that might help someone else help you:

What port(s) are involved, or does all traffic need to go through XP?

If it's just a port or two that have to be specially redirected to XP, I think you can do that with SNAT in iptables.  I can't 100% remember, but I think it goes in postrouting then.

If it's all traffic, you might be able to get by with internet connection sharing in XP if you can use 2 virtual interfaces on the XP, one uplink to connect to the network normally, and a share connection for gentoo to connect to.

If that's how it is, you would get your gentoo connection through that 2nd virtual interface, and just leave the hardware ethernet interface "up" but with no address, but bridged/tunneled/whatever to XP's 1st interface.

I hope this helps, good luck!Last edited by BradN on Fri Sep 24, 2010 3:55 am; edited 1 time in total

----------

## d2_racing

 *Hu wrote:*   

> If you do need to employ this setup, I would create two virtual NICs, tap0 and tap1.  Structure it such that eth0 is not configured by Gentoo and is instead bridged to tap0.  Set your Linux default route to go through tap1.  Configure Windows such that tap0 is considered a WAN connection and tap1 is a private LAN between Linux and Windows.  You can then use the Windows routing functionality to NAT Linux traffic so that it appears to come from the Windows machine.

 

Can you give me more info on how to do that ? I really like the WM method that you discribe  :Razz: 

 *Hu wrote:*   

> 
> 
> You can then use the Windows routing functionality to NAT Linux traffic so that it appears to come from the Windows machine.
> 
> 

 

YES, you understand 100% what I want !!!!

----------

## BradN

Another thought, can you run the client in wine?  You'd at least get around the overhead of running a whole VM...

----------

## d2_racing

I'm gonna need to test that on monday.

----------

## Hu

 *BradN wrote:*   

> Another thought, can you run the client in wine?  You'd at least get around the overhead of running a whole VM...

 It depends on how the network access restriction is enforced.  If it is something simplistic, that could work.  Broadly, I can see two ways the access control could be done.  The first way, which is simplistic and relatively easy to bypass, would be that the Windows program tells the router to allow access from the client IP for a specified duration.  Without such a notice, the router simply drops the traffic sent to the restricted subnet.  This is easy to implement, light on the network, and fairly insecure.  The second way would be to firewall off that section of the network and require that any traffic sent to it be over a VPN or at least inside IPsec encryption.  If they went with the first approach, running the client in Wine or running it in a NAT'd guest might work.  If they went with the second approach, then we definitely need to use the convoluted approach of causing the Windows machine to send all relevant traffic.

 *d2_racing wrote:*   

> Can you give me more info on how to do that ? I really like the WM method that you discribe 

 What part do you need more detail on?  I tried to outline all the major steps, though obviously my original post is insufficient as a how-to.  As a quick and untested approach, try this.  Add/change in /etc/conf.d/net:

```
config_eth0=( "null" )

bridge_br0="eth0 tap0"

brctl_br0=( "setfd 0" "sethello 0" "stp off" )

tuntap_tap0='tap' # TODO: Is this right?

tuntap_tap1='tun'
```

For the TODO line, you will need to check whether to use tun or to use tap when bridging.  Start your guest with: -net tap,vlan=0,script=no,downscript=no,ifname=tap0 -net tap,vlan=1,script=no,downscript=no,ifname=tap1 to attach both tap devices to the guest.  Set appropriate -net nic arguments for both of those.  In the guest, treat tap0 as a public interface and tap1 as a private interface.  I do not handle Windows routing, so you are on your own there.  :Smile: 

----------

