From: Francesco Ciocchetti <primero@xxxxxxxxxxxxx>
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: DNS and NAT
Date: Fri, 15 Jul 2005 20:52:18 +0200
Suzana Lojic-Skoric wrote:
From: Jörg Harmuth <harmuth@xxxxxxxxx>
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Re: DNS and NAT
Date: Fri, 15 Jul 2005 10:53:17 +0200
Suzana Lojic-Skoric schrieb:
> I don't think proxy can help because it is just caching the web pages,
> it does not change the IP addresses. I'll check if tunneling can help,
> if not then I'll have to change iptables to inspect DNS answer and
> replace the IP in the payload.
No. Introducing a proxy at the right location, is much more than just
caching web sites. It means significant changes to at least to the IP
headers.
Wether a proxy helps you or not depends totally on where you place the
proxy. If you place it on the nat box (like primero said) or between
this nasty dropping box and the nat box, everything is probably fine.
The requests will then go to 10.x.x.x and the answers will originate
from 10.x.x.x. The e.g. google address of 216.239.39.99 is within the
*data* part of the 4th packet - not in the headers (headers are
src=10.y.y.y dst=10.x.x.x). As long as the nasty dropping box doesn't
scan the packets payload for proxy requests and the like and drops them,
everything should work.
I can put the proxy on the NAT machine.
As I said, right now just with the NAT, if I send a DNS request for the
google.com from the client 10.0.0.1 behind the nasty dropping box, it will
go out through the nasty dropping box and the NAT gateway. NAT will change
its 10.x.x.x source and destination from 10.x.x.x to some outside
addresses e.g. 150.x.x.x. The DNS answer comes back to NAT, it's source
and destination gets translated back to 10.x.x.x and 10.0.0.1 destination,
and the google address 216.239.39.99 is within the *data* part. This goes
fine through the nasty dropping box back to the client 10.0.0.1. Client
then takes the answer from the data part of the message, which is
216.239.39.99 and tries to contact it. It sends an HTTP message to
destination 216.239.39.99. This gets dropped on the nasty dropping box
since it is not 10.x.x.x (This is what's happening when you type in
www.google.com in the browser on the client 10.0.0.1).
So the DNS request and answer can get through the internal network, but
what I need is to somehow replace the 216.239.39.99 that is embedded in
the DNS *data* with 10.z.z.z. Also my NAT needs to know that 10.z.z.z is
actually 216.239.39.99. to be able to translate it for outside.
Do you still think proxy can help?
with a *standard proxy* configured on the browser of client 10.0.0.1 your
request for 216.239.39.99 will be in the payload of the proxy request that
has the IP address of your proxy machine in the destination address field
of the network layer ... it should be good for your nasty dropping box.
From there the HTTP request will be managed from your proxy wich will
answer to your client with a connection completely inside the 10.x.x.x
network.
bye
<f>
Do you know if split DNS installed on the NAT gateway would do the trick
too?
Thanks,
Suzana
_________________________________________________________________
Take charge with a pop-up guard built on patented Microsoft® SmartScreen
Technology.
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
Start enjoying all the benefits of MSN® Premium right now and get the
first two months FREE*.
