D&C Lug - Home Page
Devon & Cornwall Linux Users' Group

[ Date Index ][ Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Port forwarding based on source address?



Theo Zourzouvillys wrote:

so this is how it's done in 2.4...

you are best to use destination NAT'ting, whih alters the dst header and send
it out on another interface. 

Another interface - no this is definitely for one IP address
systems - I have plenty of interfaces and only the Internet one
routes to 5.6.7.8

using DNAT would not change the source addrss, only the destination, so it
would go

 6.6.6.6:1025 in eth0      -> 1.2.3.4:25
 6.6.6.6:1025 out eth1 [1] -> 5.6.7.8:25

 then

 5.6.7.8:25 in eth1  -> 6.6.6.6:1025
 5.6.7.8:25 out eth0 -> 6.6.6.6:1025

So that assumes the route from 5.6.7.8 is via eth1 ?! That could
be a problem.

5.6.7.8 is outside my routing domain, so I can't send packets to
it claiming to be from 6.6.6.6 as that would be filtered by all
good ISPs.

so that translates in iptables to:

 iptables -t nat -I PREROUTING -s 6.6.6.6 -d 1.2.3.4 -i eth0 -p tcp --dport 25
- -j DNAT --to-destination 5.6.7.8:25

any other connections will just fall through, and end up on 1.2.3.4's MTA.

hope i understood the question right ;)

I think so - I guess opting to become a man in the middle is a
bit weird, perhaps I better check out SMTP proxies since it is
only email I am interested in personally, not the general case.

I'm fairly sure one of the switch vendors does exactly what I
want in it's NAT, as I'm sure I remember a "one armed" load
balancing design from either Extreme or Foundary (not that I
have either of those to play with in this case).

[1] - now the problem here is netfilet can't currently NAT local to/from local
src/dst.  there is a patch in the pom (pathch-o-matic) called
IP_CONNTRACK_LOCAL that allows this, and it's already in the 2.4.19-pre iirc.
whne you build your kernel, cd into the iptables source and type "./pom
newnat".

Hmm - lost me does that solve either of the issues mentioned?

--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.


Lynx friendly