Re: Connection tracking Cli and an ALG for DNS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sunday 15 November 2015 13:45, Adel Belhouane wrote:
> (I didn't reply to the original sender, my bad. So sending the same message
> again...)
>
> Le 06/11/2015 23:27, Bill a écrit :

> Do you just want 192.168.20.171, behind a NAT gateway, to be the DNS server
> for outside? Can you confirm that's the case or is there something else?

Actually it is 192.168.30.171 that is a NAT gateway and the DNS server for the 
192.168.20.0 network.

> Can't you simply use the iptables DNAT target? If not, can you explain why
> it won't work for your use case and for what reason you'd need something
> else?
>

DNAT would give access to a specific host, but I want to refer to it by a DNS 
name for 2 reasons:

1)  The host I am going to connect may change it's IP address, or if it is a 
service being requested, it might be provided by another host if the network 
changes (I am looking at a mobile network where hosts may come and go, or 
other hosts may replace them in times of interruption).

2)  Since the DNS may return different IP's over time; I don't' want the IP in 
the local 192.168.20.0 network to be revealed.  Instead I want it to appear 
NATted, so it will be 192.168.30.170 + a port for this connection.  In other 
words I want it to look like the host on the 192.168.20.0 network initiated 
the connection.

For reference here is my diagram again:

> >> local host               dns/nat gateway              remote host
> >> 192.168.20.171      192.168.20.170                192.168.30.172
> >>                                192.168.30.170
> >> inside               ----->>> nat >>> ------          outside

As you can see, DNAT would no do for my requirements since I'd have to 
add/delete iptables rules, which I supposed I could do, but doesn't seem te 
right approach.

Now since my original posting I have been reading code and have manged to 
create an e'expect' connection by upgrading to the latest 4.4 kernel.  In 
this version I find the sample test 'create-expect' works.

After succeeding with this I realize I may need to build a kernel module for 
the expectation and have started looking at the kernel code for this, such as 
those for FTP etc.

/bill
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux