(I didn't reply to the original sender, my bad. So sending the same message again...) Le 06/11/2015 23:27, Bill a écrit :
I've been looking at this a bit more and it occurs to me that it may be I don't need 'expect', but can use the regular connection tracking table.
[...]
If anyone can tell me definitively if I can use a connection or an expect to do what I want, as described below, I'd appreciate it. /bill On Wednesday 04 November 2015 13:32, Bill wrote:I am looking at creating a DNS_ALG using netfilter connection tracking. I believe I understand most of what is needed but am having problems testing the ideas using the Cli from the conntrack-tools package. Basically I have a setup that looks like this, a NAT gateway (with DNS) a local host inside the NAT, and a remote host outside the NAT: local host dns/nat gateway remote host 192.168.20.171 192.168.20.170 192.168.30.172 192.168.30.170 inside ----->>> nat >>> ------ outside Thus local host can connect to remote host and is natted thru the gateway, but remote host can't connect to local host as it is blocked by the NAT gateway. What want ultimately is for remote to do a DNS on the gateway, and have the gateway configure the NAT to allow the incoming connection. I want the connection to look as if local has initiated it, ie I want it natted so the connection is between the gateway and the remote host IPs on the outside. Ultimately I want to program this into a DNS server or build a DNS_ALG, but for now I am just testing out the ideas and trying to test using the conntrack-tools, but I have having limited success. I can add/delete/modify connections but I haven't been able to create a conntrack 'expectation'.
Do you just want 192.168.20.171, behind a NAT gateway, to be the DNS server for outside? Can you confirm that's the case or is there something else?
In the conntrack-tools there is a set of tests 'test.sh' file that has examples, and they work, but not the 'expectation', test as it is missing some options. What I'd like to know is given the above example, where I'd like 192.168.30.172 to connect to an expectation on 192.168.30.170 and be passed thru the NAT to 192.168.20.171, what are the right commends to use? I am pretty sure I need an 'expectation' and not a connection in one of the initial state machine states, but please correct me if I am wrong.
Can't you simply use the iptables DNAT target? If not, can you explain why it won't work for your use case and for what reason you'd need something else?
/bill --
regards, Adel BELHOUANE -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
