Re: NAT with unique egress port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Oct 27, 2016 at 10:02 AM, Rui Santos <rsantos@xxxxxxxxxxxxx> wrote:
Hi all,

I'm currently using NAT to provide Basic address translation from
private to public IP's.

However, linux kernel uses both destination IP and Port as part of
it's NAT mapping process. This way (client1 and client2 are on the
same internal network):
- if client1 connects to server1 using source port X, the NAT will be
mapped: client1IP:SourcePortX -> server1IP:SourcePortX;
- if client2 then connects to server2 using source port X, the NAT
will be mapped: client2IP:SourcePortX -> server2IP:SourcePortX.
Basically, SourcePortX is used on both mappings for client1 and client2.

But, if client2 tries to connect do server1 instead, using the same
source port X, the NAT will be mapped: client2IP:SourcePortX ->
server2IP:SourcePortY
SourcePortY will be an available (randomly generated?) ephemeral port.

My goal is to force this behavior on all outgoing connections. This
way I would get a unique egress port mapping to an internal IP:Port in
a specific point in time:
- if client1 connects to server1 using source port X, the NAT will be
mapped: client1IP:SourcePortX -> server1IP:SourcePortX;
- if client2 then connects to server2 using source port X, the NAT
will be mapped: client2IP:SourcePortX -> server2IP:SourcePortY.
SourcePortY will be an available (randomly generated?) ephemeral port.

I am aware that this will imply a concurrent NAT connections limit,
equal to the ephemeral port range, per egress IP.

Is there any way I can accomplish this kind of behaviour?

I believe that you should be asking that on #netfilter maillist.

AFAIK I think it is feaseble to do (perhaps even without programming using netfilter).
 

Thanks for all your help,
--
Rui Santos
Veni, Vidi, Linux

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies



--
Simplicity is the ultimate sophistication
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux