Re: Connection Tracking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

We do have control over the Nat box. It is a custom Linux router that we put in for these clients. The biggest problem with the DNATing to a specific internat IP is that several client computers will want to use it at different times. So, I don't want to have to change the DNATing every time a different computer wants to connect. As for the protocol... I am not very happy about it either. We did not define it, it is part of the mainframe system installed at the company. This is thier "VPN" --to use the term very loosely-- solution so that this manufacturer has installed. Someone suggested sending the port 1066 to the broadcast address. Although this would probably work, I don't like it because of security reasons. I had thought about doing some type of Pptp or Ipsec VPN solution, but all of the different networks run on the same address scheme, as per the mainframe manufacturer, which complicates things even more.

Nathan

Jim Carter wrote:

On Mon, 6 Oct 2003, Nathan Whittacre wrote:


The way this protocol works is that the remote computer connects to it
on port 1066, exchanges some data over the existing connection and then
the server initiates a connection back to the client on the client's
port 1066. This is fine as long as the client has a static, un-NAT'd
internet IP, but the connection is dropped by the server if it does not
get a reply from port 1066. I have a few client machines on a NAT'd
network that need to connect to this remote server, but with only one



FTP does the same kind of thing except the return port varies; the client
tells the server what port it's listening on.  If you have access to the
NAT box you could perhaps put in a special rule so port 1066 (for the
return connection) was DNATted to just one client's internal IP address and
restricted to just port 1066 rather than the default high-numbered range.
(I assume the client insists on a source port of 1066.)  If it's a
user-owned inexpensive NAT box that you can't configure, you're up the
creek.  I believe the Linksys "Broadband Router" for $80 can do the needed
DNAT.  But then you get into a nightmare of user support issues.

Why the callback?  It really makes things complicated.  If you're trying to
enhance security, as you might with a modem connection, each TCP connection
includes return packets, which will not return if the originator's address
is spoofed.  Also, in principle the Black Hats can invade your ISP and fake
the DNS records.  Much better to use TLS at 4th layer or IPSec at 3rd
layer, and only talk to remote machines that are on your authorization
list.

James F. Carter Voice 310 825 2897 FAX 310 206 6673
UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
Email: jimc@xxxxxxxxxxxxx http://www.math.ucla.edu/~jimc (q.v. for PGP key)





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux