Re: transparent PAT

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 27 Nov 2002 13:20:58 -0600 (CST)
"Martin A. Brown" <mabrown-lartc@securepipe.com> wrote:

> Hi there Nickola,

Hi again, Martin,

>  : I would like to reroute everything that's passing thru eth1 on machine
>  : A from the internal lan and has dport XXXX to the same port on machine
>  : B.
> 
> It seems to me like you really want NAT, not PAT--especially if you are 
> using multiple ports.  Am I missing something here?

Well, in fact I tried a solution with doing DNAT (i.e. destination NAT) in
both directions - from the client to the server and vice versa. With tcpdump
I saw that packet are going both diorections, but the client application
refused to accept them. I'm talking about irc. I mean there weren't any
errors, given by the client, just silence. :)

>  : The hole thing has to be completely transparent. I tried some "advanced
>  : routing" stuff, like marking those packets with fwmark and building a
>  : separate routing table for them, but alas. Notice that the two machines
>  : are on the same LAN segment.
> 
> Problem is that the packets are handled specially in the local routing
> table (highest priority in the RPDB).  I have not tried to use a rule of
> higher priority than rule 0, so I do not know what side effects that might
> have.

Ehm, yes, I tried with priorities 200 and the default ones, which ip rule
puts at the end - i.e. around 32765 and below.

>  : I've already tried also some userspace solutions, which didn't
>  : work, like redir, tircproxy, transproxy, etc. but they didn't 
>  : work either, complaining abount not able to bind to non-local
>  : port. And yes (mr. Brown), I know about the 
>  : /proc/sys/net/ipv4/ip_nonlocal_bind switch, listed in
>  : plorf.net/linux-ip/.
> 
> After you have done:
> 
> # echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
> 
> can you do something like this:
> 
> # nc -nlvv -p 3001 -s 77.77.77.77
> 
> Where 77.77.77.77 is an IP not in use anywhere on your box?

Yes, I can, but do I have a way to check that someone is indeed listening
on this port? Except locally, I mean. Beacuse netcat is binding to the port with
no complaints.

> If you were using redir, why doesn't the following work:
> 
> # redir --laddr=x.x.x.x --lport=993 --caddr=y.y.y.y --cport=993 --transproxy

No, it yells 

target: connect: Invalid argument

Attachment: pgp00055.pgp
Description: PGP signature

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux