From: "R. DuFresne" <dufresne@xxxxxxxxxxx>
To: Suzana Lojic-Skoric <s_lojic@xxxxxxxxxxx>
CC: harmuth@xxxxxxxxx, netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: DNS and NAT
Date: Fri, 15 Jul 2005 12:45:10 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Has anyone checked to see if beside pre/post routing rules this person has
added the ip add majik to make NAT more seamless, I'm of course assuming a
1:1 NAT setup for a network rahter than masq. And if they are using masq,
perhaps a 1:1 NAT setup would quell their troubles so that it's IP based
NAT rather then port based PNAT that is working against em...?
I have implemented PNAT on inbound direction, means incoming traffic (from
outside to the NAT box) is port forwarded to appropriate servers inside. Why
would PNAT work against me?
Thanks,
Suzana
Thanks,
Ron DuFresne
On Fri, 15 Jul 2005, Suzana Lojic-Skoric wrote:
From: Jörg Harmuth <harmuth@xxxxxxxxx>
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: DNS and NAT
Date: Fri, 15 Jul 2005 10:53:17 +0200
Suzana Lojic-Skoric schrieb:
> I don't think proxy can help because it is just caching the web pages,
> it does not change the IP addresses. I'll check if tunneling can help,
> if not then I'll have to change iptables to inspect DNS answer and
> replace the IP in the payload.
No. Introducing a proxy at the right location, is much more than just
caching web sites. It means significant changes to at least to the IP
headers.
Wether a proxy helps you or not depends totally on where you place the
proxy. If you place it on the nat box (like primero said) or between
this nasty dropping box and the nat box, everything is probably fine.
The requests will then go to 10.x.x.x and the answers will originate
from 10.x.x.x. The e.g. google address of 216.239.39.99 is within the
*data* part of the 4th packet - not in the headers (headers are
src=10.y.y.y dst=10.x.x.x). As long as the nasty dropping box doesn't
scan the packets payload for proxy requests and the like and drops them,
everything should work.
I can put the proxy on the NAT machine.
As I said, right now just with the NAT, if I send a DNS request for the
google.com from the client 10.0.0.1 behind the nasty dropping box, it will
go out through the nasty dropping box and the NAT gateway. NAT will change
its 10.x.x.x source and destination from 10.x.x.x to some outside
addresses e.g. 150.x.x.x. The DNS answer comes back to NAT, it's source
and destination gets translated back to 10.x.x.x and 10.0.0.1 destination,
and the google address 216.239.39.99 is within the *data* part. This goes
fine through the nasty dropping box back to the client 10.0.0.1. Client
then takes the answer from the data part of the message, which is
216.239.39.99 and tries to contact it. It sends an HTTP message to
destination 216.239.39.99. This gets dropped on the nasty dropping box
since it is not 10.x.x.x (This is what's happening when you type in
www.google.com in the browser on the client 10.0.0.1).
So the DNS request and answer can get through the internal network, but
what I need is to somehow replace the 216.239.39.99 that is embedded in
the DNS *data* with 10.z.z.z. Also my NAT needs to know that 10.z.z.z is
actually 216.239.39.99. to be able to translate it for outside.
Do you still think proxy can help?
If, on the other side, it is only possible to place the proxy between
the clients and this nasty dropping box, you're out of luck and a proxy
helps nothing at all. But as far as I understood - and you provided
information - you have access to the nat box. So, this should not be the
case.
BTW, would you please be so kind and provide sufficient information
about your problem in the first posting (introducing this nasty box
changes the whole situation) ? This way people who want to help you do
not have to feel like the "Oracle of Delphi" ;) Thanks.
I'll do it next time :) I was afraid it would be too long for anybody to
read it. Thanks for your help.
Suzana
Have a nice time,
Joerg
_________________________________________________________________
Take advantage of powerful junk e-mail filters built on patented
Microsoft® SmartScreen Technology.
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
Start enjoying all the benefits of MSN® Premium right now and get the
first two months FREE*.
- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFC1+gast+vzJSwZikRAoIFAKCcx6voNEBSZNMlpZjTJIftXWUplwCcCV4K
ETadeRA1YWhhsaNAASuZCsk=
=PbUZ
-----END PGP SIGNATURE-----
_________________________________________________________________
Take advantage of powerful junk e-mail filters built on patented Microsoft®
SmartScreen Technology.
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
Start enjoying all the benefits of MSN® Premium right now and get the
first two months FREE*.