D&C Lug - Home Page
Devon & Cornwall Linux Users' Group

[ Date Index ][ Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Port forwarding based on source address?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 30 July 2002 3:48 pm, Simon Waters wrote:

Another interface - no this is definitely for one IP address
systems - I have plenty of interfaces and only the Internet one
routes to 5.6.7.8

ahh, ok.  This won't be a problem, just my example was assuming two interfaces 
;)


using DNAT would not change the source addrss, only the destination, so
it would go

 6.6.6.6:1025 in eth0      -> 1.2.3.4:25
 6.6.6.6:1025 out eth1 [1] -> 5.6.7.8:25

 then

 5.6.7.8:25 in eth1  -> 6.6.6.6:1025
 5.6.7.8:25 out eth0 -> 6.6.6.6:1025

So that assumes the route from 5.6.7.8 is via eth1 ?! That could
be a problem.

5.6.7.8 is outside my routing domain, so I can't send packets to
it claiming to be from 6.6.6.6 as that would be filtered by all
good ISPs.

sorry, didn't realise you were doing this over networks you didn't have 
control of policies over, let me retry ;)

in your case, you'd need SNAT too, which would make the connection look like 
it's comming from you....

6.6.6.6:1025 in  eth0 -> 1.2.3.4:25
1.2.3.4:3434 out eth0 -> 5.6.7.8:25

then

5.6.7.8:25 in  eth0 -> 1.2.3.4:3434
1.2.3.4:25 out eth0 -> 6.6.6.6:1025

right this time ? :)


so that translates in iptables to:

 iptables -t nat -I PREROUTING -s 6.6.6.6 -d 1.2.3.4 -i eth0 -p tcp
--dport 25 - -j DNAT --to-destination 5.6.7.8:25

as this rule is preroute, then it does just what thje name says,m and mangles 
the packet before it routes it ;)

you'd then need one on POSTROUTING that nats outgoing to the address to your 
addy... now if you have a dyanmic IP, you'll need to play with MASQUERADE.  
as i've not really used netfilter on dynamic addresses much at all, i can't 
say exactly how it works and it's pro/conns.  however, this *should* work...

iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

if you havn't already got it already (you probably do if you've got any 
internet connectivity at all ;))

now that *might* not work, because flows only hit the nat table once, which 
may be a bit of a problem - i'm not sure is the MASQ target is counted. 

if you view via TCP dump when the connections are instagated, and it looks 
like the packets going out of eth0 are still comming from the pper, then try 
moving the MASQ rule to the mangle table.  again, i'm not sure on this so 
can't offer firm garutee what will happen :/


hope i understood the question right ;)

I think so - I guess opting to become a man in the middle is a
bit weird, perhaps I better check out SMTP proxies since it is
only email I am interested in personally, not the general case.

layer 3 is nearly always the most secure way to do things (short of uplugging 
the cable :p) - i trust linux netfilter and tcp stack, i don't ever trust any 
userland code 100%...


I'm fairly sure one of the switch vendors does exactly what I
want in it's NAT, as I'm sure I remember a "one armed" load
balancing design from either Extreme or Foundary

the one armed mode is from arrowpoint (or so i belilve), who were bought out 
by cisco 2 years ago, there are some docs about it the tac somewhere.

only downside is load goes waaaay up through the roof in one armed mode, which 
is what made us use netfilter instead of the CS for the one time we needed it 
in a situation like this.

(not that I
have either of those to play with in this case).

however a 10k lb switch for a few connections would be, well, umm, fun ;)

say I, using the cisco CS1150 as my switch at home the moment ;P

[1] - now the problem here is netfilet can't currently NAT local to/from
local src/dst.  there is a patch in the pom (pathch-o-matic) called
IP_CONNTRACK_LOCAL that allows this, and it's already in the 2.4.19-pre
iirc. whne you build your kernel, cd into the iptables source and type
"./pom newnat".

Hmm - lost me does that solve either of the issues mentioned?

it only affects outgoing dst an src nat from a local generated connection on 
locahost, wouldn't really matter in your case.

~ Theo

- -- 

Theo Zourzouvillys
http://zozo.org.uk/

You will overcome the attacks of jealous associates.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9RrFd448CrwpTn6YRAnHRAKDO9yFowe31ZJiHjCYkV41pxu8jbgCgzlhS
jlwbrHpPmqm04xKYKUDYIy0=
=FAQL
-----END PGP SIGNATURE-----


--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.


Lynx friendly