[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 30 July 2002 3:48 pm, Simon Waters wrote:
Another interface - no this is definitely for one IP address systems - I have plenty of interfaces and only the Internet one routes to 5.6.7.8
ahh, ok. This won't be a problem, just my example was assuming two interfaces ;)
using DNAT would not change the source addrss, only the destination, so it would go 6.6.6.6:1025 in eth0 -> 1.2.3.4:25 6.6.6.6:1025 out eth1 [1] -> 5.6.7.8:25 then 5.6.7.8:25 in eth1 -> 6.6.6.6:1025 5.6.7.8:25 out eth0 -> 6.6.6.6:1025So that assumes the route from 5.6.7.8 is via eth1 ?! That could be a problem. 5.6.7.8 is outside my routing domain, so I can't send packets to it claiming to be from 6.6.6.6 as that would be filtered by all good ISPs.
sorry, didn't realise you were doing this over networks you didn't have control of policies over, let me retry ;) in your case, you'd need SNAT too, which would make the connection look like it's comming from you.... 6.6.6.6:1025 in eth0 -> 1.2.3.4:25 1.2.3.4:3434 out eth0 -> 5.6.7.8:25 then 5.6.7.8:25 in eth0 -> 1.2.3.4:3434 1.2.3.4:25 out eth0 -> 6.6.6.6:1025 right this time ? :)
so that translates in iptables to: iptables -t nat -I PREROUTING -s 6.6.6.6 -d 1.2.3.4 -i eth0 -p tcp --dport 25 - -j DNAT --to-destination 5.6.7.8:25
as this rule is preroute, then it does just what thje name says,m and mangles the packet before it routes it ;) you'd then need one on POSTROUTING that nats outgoing to the address to your addy... now if you have a dyanmic IP, you'll need to play with MASQUERADE. as i've not really used netfilter on dynamic addresses much at all, i can't say exactly how it works and it's pro/conns. however, this *should* work... iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE if you havn't already got it already (you probably do if you've got any internet connectivity at all ;)) now that *might* not work, because flows only hit the nat table once, which may be a bit of a problem - i'm not sure is the MASQ target is counted. if you view via TCP dump when the connections are instagated, and it looks like the packets going out of eth0 are still comming from the pper, then try moving the MASQ rule to the mangle table. again, i'm not sure on this so can't offer firm garutee what will happen :/
hope i understood the question right ;)I think so - I guess opting to become a man in the middle is a bit weird, perhaps I better check out SMTP proxies since it is only email I am interested in personally, not the general case.
layer 3 is nearly always the most secure way to do things (short of uplugging the cable :p) - i trust linux netfilter and tcp stack, i don't ever trust any userland code 100%...
I'm fairly sure one of the switch vendors does exactly what I want in it's NAT, as I'm sure I remember a "one armed" load balancing design from either Extreme or Foundary
the one armed mode is from arrowpoint (or so i belilve), who were bought out by cisco 2 years ago, there are some docs about it the tac somewhere. only downside is load goes waaaay up through the roof in one armed mode, which is what made us use netfilter instead of the CS for the one time we needed it in a situation like this.
(not that I have either of those to play with in this case).
however a 10k lb switch for a few connections would be, well, umm, fun ;) say I, using the cisco CS1150 as my switch at home the moment ;P
[1] - now the problem here is netfilet can't currently NAT local to/from local src/dst. there is a patch in the pom (pathch-o-matic) called IP_CONNTRACK_LOCAL that allows this, and it's already in the 2.4.19-pre iirc. whne you build your kernel, cd into the iptables source and type "./pom newnat".Hmm - lost me does that solve either of the issues mentioned?
it only affects outgoing dst an src nat from a local generated connection on locahost, wouldn't really matter in your case. ~ Theo - -- Theo Zourzouvillys http://zozo.org.uk/ You will overcome the attacks of jealous associates. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9RrFd448CrwpTn6YRAnHRAKDO9yFowe31ZJiHjCYkV41pxu8jbgCgzlhS jlwbrHpPmqm04xKYKUDYIy0= =FAQL -----END PGP SIGNATURE----- -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.