Writing

Feed Software, technology, sysadmin war stories, and more.

Friday, January 6, 2012

Virtually plopping a NT box on a distant network

Back before the days when OpenVPN existed, I once pulled off a nice little feat of network mangling. I was working at a school district office at the time, and shared space with their MCSE "network engineers". One of them had some weird problem and I decided to help.

I used to say the best administration tool for their NT machines was a CAR -- that is, a vehicle with four wheels, as in "get in one and drive out there to poke at it from the console". This day was no exception. He was doing something with a machine on his desk and yet somehow needed it to be on the network at one of our middle schools.

Then, later, he'd need it back on the local network, and then back on the middle school network again. I have no idea what kind of wretched thing he was doing to that poor machine, but it was bound to involve a whole lot of driving. I figured I could do something to prevent it.

By this time, we had already built and installed my CD towers at all of the schools, so I had root on a Linux box on every distant network. I asked him what IP address his machine had, then added it as an alias on the tower out there. That got the machines on that network to start delivering return packets for him to the tower.

Now I needed to get those packets back over to us. I chose ipip because it could be compiled as a module and then insmodded (pre-modprobe days) without rebooting the machines. My CD tower was in production use at the time, so a reboot in the middle of the day would have been right out.

After making up some random RFC 1918 addresses for either end of the tunnel, I added another route from the tower back to one of my systems there in our office. That meant packets for him were now right there with us. At this point, I just needed to get them over to his wayward system. I forget exactly how I did that, but it was interesting because his host was misconfigured for that network. I suspect it involved both a "route add -host blah eth0" and a static ARP setting to just make it sling the packets onto the network and hope for the best.

It was a completely ridiculous hack involving asymmetrical routing (since his outgoing packets didn't leave through the school router), but it did work. He was pretty impressed.

I mean, after all, it isn't every day that you can make a random box appear on some distant network without any preparation at the far end. Granted, things are a bit easier now, but doing it back in the '90s without leaving your chair was something special.