Re: How to Lookup NAT Mapping?
From: TN (px9900i_at_yahoo.com)
Date: 08/20/04
- Next message: Jemy: "linux routing help"
- Previous message: P Gentry: "Re: Ready to replace NT domain"
- In reply to: Beat Bolli: "Re: How to Lookup NAT Mapping?"
- Next in thread: jack: "Re: How to Lookup NAT Mapping?"
- Reply: jack: "Re: How to Lookup NAT Mapping?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 19 Aug 2004 19:19:53 -0700
Hello!
eat Bolli <b11@gmx.Dont-Spam.net> wrote in message news:<4124f1a1$0$2812$5402220f@news.sunrise.ch>...
> Well, NAT generally doesn't rewrite destination addresses, but source
> addresses, so that the reply packets reach the NAT router.
I guess it's a matter of how you look at it. Obviously the rewrite has
to be done in both directions, but since the connections we're working
with are mostly inbound, we use mostly DNAT rules, mapping external
global addresses to internal private ones. We just let conntrack
handle the reverse mapping.
> Anyway, short of reimplementing the routing subsystem of the Linux
> kernel, I'd recommend to configure your program with address ranges for
> internal and external IP addresses and do some comparisons to check
> which range (internal/internal, internal/external, etc.) your addresses
> fall into.
That's not really an option in our case. Or I should say, this is
similar to what we're doing now, but we have thousands of firewalls
to manage and manual configuration has proven to be a source of
unacceptable errors. I need a solution that I can just drop into a box
and have it dynamically determine whether a given flow is going to be
NAT'ed or not, and if so, what the changes (source and destination)
will be. I'm don't think this is 100% achievable without patching the
kernel, but I thought there might be a way to handle 95% of the cases
(simple networks) automatically, then use special case configuration
where needed.
The thing is... the kernel can obviously do this (compute the
mappings). All I need is a way to access that expertise from
userspace. Netlink seems like the ideal thing, but it doesn't seem to
provide NAT data.
> If you need information about the currently masqueraded connections, you
> can read /proc/net/ip_conntrack.
Well, there are a couple of problems. First, I'm not sure
/proc/net/ip_conntrack has any indication of whether a connection was
rewritten via NAT rules. I have a vague recollection that it doesn't.
And then more importantly, what I need to do is determine what the
mapping will be BEFORE the connection is actually made, so conntrack
won't be of much help there.
Thanks for your help! It's a puzzle.
TN
- Next message: Jemy: "linux routing help"
- Previous message: P Gentry: "Re: Ready to replace NT domain"
- In reply to: Beat Bolli: "Re: How to Lookup NAT Mapping?"
- Next in thread: jack: "Re: How to Lookup NAT Mapping?"
- Reply: jack: "Re: How to Lookup NAT Mapping?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
