Re: Anyone achieved BSD natd(8) compatibility with Linux netfilter or Solaris ipf - ie. single-address-on-same-interface bidirectional mapping to DMZ private subnet ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

this seems very simple, google for source nat, destination nat and masquerade

http://www.howtoforge.com/internet-connection-sharing-masquerading-on-linux

portforwarding is also rather simple.

regards

Brian


Jason Vas Dias wrote:
Hi -

This is my first post to this list, so please excuse me if I miss something or
if this is an inappropriate posting for this list.

Question :

I am trying to replace an ancient MacOSX box, whose natd(8) does a
really great job of
"Connection Sharing" - becoming a router for the "External Internet"
to my local LAN
subnet whose addresses it has provided with DHCP ( 192.168.2.2 - 4 ) .

So natd(8) maps the IP source address in packets originating from the
local 192.168.2.{2,3.4} subnet
that appear from the en0 interface, to the external internet address
given to the single interface en0 by
my DSL modem , and sends such packets out on en0 with the destination
address and port mapped back
to natd's address and port on the external internet .   natd(8)
maintains a table of all such packets sent
out to the external internet, such that when a response for such a
packet it received, the destination
IP address is mapped back to the original packet originator, and is
then sent back out on en0 to the
local DMZ subnet host that originated it,  as in this diagram :

   MacOS Host:
   single IP interface  en0:
        ipv4 address 192.168.2.1
        ipv4 address 66.68.31.192 (assigned from DSL router)
   natd:
        listens on      66.68.31.192:natd
  bootpd:
        listens on      192.168.2.1:bootps

    DMZ   hosts:  192.168.2.2, 192.168.2.3,   192.168.2.4

  All these hosts are connected to the same hub, whose uplink cable is
connected to the DSL Router.

  natd(8) reads a raw socket to receive every packet that is received
on interface  en0.
  When a packet is received from a 192.168.2.x source address  with a
destination address
   that is not  in subnet 192.168.2/24 , it replaces the 192.168.2/24
address with 66.68.31.192,
   and the destination address and port with 66.68.31.192:natd , and
sends the packet back out on en0;
   the DSL router sends such packets on to the external internet, and
the external internet host sends
   responses back to 66.68.31.192:natd;  natd can then use  the packet
 identifiers it generated
  for the request packets to the response packet (it could  even use a
separate port to receive
  response packets  for each separate DMZ  host, so the mapping
becomes trivial).

My  question is : how can this be achieved with Linux netfilter or
Solaris IP Filter / ipnat(4) ?
I have either a Solaris host or Linux host I can use for this job. The
old MacOSX ppc32 host is
too slow, and does not support more than two other hosts on the DMZ .

What I don't understand from the netfilter / ipfilter documentation is
precisely how a response
from the external internet , whit a destination IP + port on the
gateway , is translated into a response
for a DMZ host in the same way as netd does.

I have looked  at the open-source firestarter project, which can
construct NAT rules to do this for a gateway
 host with two physical interfaces, but all my hosts have only one
physical ethernet interface.

Could anyone please explain how response packets can be routed back to
the DMZ host with Linux netfilter or Solaris ipfilter rules ?

Thanks in advance,
Jason.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux