Re: Redirecting ports in a bridge

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Grant Taylor escribió:
> Ok, forgive me for asking. Is this appliance multi-purpose in such that it is suppose to log and redirect traffic?
Yes, It's multi-purpose: http://www.eneotecnologia.com/products_en.html?TB_iframe=true&height=510&width=800 

   * *Firewall & QoS.-* High performance statefull firewall and quality
     of service.
   * *Web cache & content filter.-* Black and white list mode with LDAP
     or AD authentication.
   * *VPN.-*L2TP / IPSEC – X.509, NAT Traversal and high availability.
   * *IPS / IDS.-* Snort 2.6 based with hardware acceleration.
   * *Load balancing.-* LVS based – L3/4 classification, different
     algorithms.
   * *High availability.-* VRRP (Router mode) and STP (Bridge mode).
   * *Malware.-* Antivirus (ClamAV, Kaspersky), antispam (DSPAM,
     Mailshell), antispyware (Kaspersky, PCTools or Sunbelt) with
     hardware acceleration.
   * *NetFlow probe.-* NetFlow v5/9 Probe.
We use it in bridge mode, mainly for traffic logging, and sometimes for packet filtering.
> As Jan Engelhardt has pointed out so well, you are very likely dealing with (what I call) > a "TCP Triangle". If there is not something else in the mix doing source NATing, you will > need to do something else to avoid the "TCP Triangle". There are many different options > available, one of which is the SNATing like you are referring to (though I would be careful > on selecting the packets to SNAT). Another would be to have your clients connect to IPs on > LAN 1 that are bound to the router that is DNATing traffic to LAN 2 and then unDNATing the > replies. You could also have duplicate IPs bound on server 1 and server 2 and use some > clustering techniques to alter which MAC address / server the packet(s) go to, thus 
> allowing both servers to answer with the proper IP.
I still want the bridge to be totally transparent, and I don't want to mess with the real IPs, as I don't want the probe to be a single point of failure. In fact, it's network cards still work as a bridge when the machine is down.
I suppose I should use SNAT, then, as you've stated, but it doesn't seem to work properly. I'm trying that: 

# iptables -t nat -A PREROUTING -p tcp -d 192.168.2.1 --dport 80 --to-destination 192.168.2.2:80 -j DNAT
# iptables -t nat -A POSTROUTING -p tcp --sport 80 -s 192.168.2.2 -d 192.168.1.0/24 -j SNAT --to-source 192.168.2.1


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux