Re: DNS and NAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





From: "R. DuFresne" <dufresne@xxxxxxxxxxx>
To: Suzana Lojic-Skoric <s_lojic@xxxxxxxxxxx>
CC: harmuth@xxxxxxxxx, netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: DNS and NAT
Date: Fri, 15 Jul 2005 12:45:10 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Has anyone checked to see if beside pre/post routing rules this person has added the ip add majik to make NAT more seamless, I'm of course assuming a 1:1 NAT setup for a network rahter than masq. And if they are using masq, perhaps a 1:1 NAT setup would quell their troubles so that it's IP based NAT rather then port based PNAT that is working against em...?

I have implemented PNAT on inbound direction, means incoming traffic (from outside to the NAT box) is port forwarded to appropriate servers inside. Why would PNAT work against me?

Thanks,

Suzana

Thanks,

Ron DuFresne


On Fri, 15 Jul 2005, Suzana Lojic-Skoric wrote:



From: Jörg Harmuth <harmuth@xxxxxxxxx>
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: DNS and NAT
Date: Fri, 15 Jul 2005 10:53:17 +0200

Suzana Lojic-Skoric schrieb:

> I don't think proxy can help because it is just caching the web pages,
> it does not change the IP addresses. I'll check if tunneling can help,
> if not then I'll have to change iptables to inspect DNS answer and
> replace the IP in the payload.

No. Introducing a proxy at the right location, is much more than just
caching web sites. It means significant changes to at least to the IP
headers.

Wether a proxy helps you or not depends totally on where you place the
proxy. If you place it on the nat box (like primero said) or between
this nasty dropping box and the nat box, everything is probably fine.
The requests will then go to 10.x.x.x and the answers will originate
from 10.x.x.x. The e.g. google address of 216.239.39.99 is within the
*data* part of the 4th packet - not in the headers (headers are
src=10.y.y.y dst=10.x.x.x). As long as the nasty dropping box doesn't
scan the packets payload for proxy requests and the like and drops them,
everything should work.

I can put the proxy on the NAT machine.
As I said, right now just with the NAT, if I send a DNS request for the google.com from the client 10.0.0.1 behind the nasty dropping box, it will go out through the nasty dropping box and the NAT gateway. NAT will change its 10.x.x.x source and destination from 10.x.x.x to some outside addresses e.g. 150.x.x.x. The DNS answer comes back to NAT, it's source and destination gets translated back to 10.x.x.x and 10.0.0.1 destination, and the google address 216.239.39.99 is within the *data* part. This goes fine through the nasty dropping box back to the client 10.0.0.1. Client then takes the answer from the data part of the message, which is 216.239.39.99 and tries to contact it. It sends an HTTP message to destination 216.239.39.99. This gets dropped on the nasty dropping box since it is not 10.x.x.x (This is what's happening when you type in www.google.com in the browser on the client 10.0.0.1). So the DNS request and answer can get through the internal network, but what I need is to somehow replace the 216.239.39.99 that is embedded in the DNS *data* with 10.z.z.z. Also my NAT needs to know that 10.z.z.z is actually 216.239.39.99. to be able to translate it for outside.

Do you still think proxy can help?

If, on the other side, it is only possible to place the proxy between
the clients and this nasty dropping box, you're out of luck and a proxy
helps nothing at all. But as far as I understood - and you provided
information - you have access to the nat box. So, this should not be the
case.

BTW, would you please be so kind and provide sufficient information
about your problem in the first posting (introducing this nasty box
changes the whole situation) ? This way people who want to help you do
not have to feel like the "Oracle of Delphi" ;) Thanks.

I'll do it next time :) I was afraid it would be too long for anybody to read it. Thanks for your help.

Suzana


Have a nice time,

Joerg



_________________________________________________________________
Take advantage of powerful junk e-mail filters built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.



- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC1+gast+vzJSwZikRAoIFAKCcx6voNEBSZNMlpZjTJIftXWUplwCcCV4K
ETadeRA1YWhhsaNAASuZCsk=
=PbUZ
-----END PGP SIGNATURE-----

_________________________________________________________________
Take advantage of powerful junk e-mail filters built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux