[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: Re: Can netfilter do this?
From: Daniel Stone <daniel () sfarc ! net>
Date: 2001-06-23 0:56:32
[Download RAW message or body]
On Fri, Jun 22, 2001 at 11:58:44AM +0100, Russell King wrote:
> I'm quickly coming to the conclusion that netfilter isn't able to forfill
> my nat requirements, since I can't find a set of rules that actually work.
>
> I have the following interfaces on my firewall:
>
> eth0 (internal network)
> eth1 (public internet)
> cipcb0 (tunnel)
>
> I want to be able to do the following:
>
> 1. Outgoing connections from the internal network:
> a) ftp, ssh, web, (basically random collection of port numbers that
> I specify) to any public internet address I want to be routed out
> via eth1 using eth1's IP address using masquerade.
> b) everything else I want to be SNAT'd via cipcb0 using cipcb0's IP
> address.
Yeeesss ... um ... you'll need to use this in combination with rule-based
routing AFAICS. Something like:
mangle table - PREROUTING -
if it's a) - set a MARK
if it's b) - set another MARK
routing code runs and decides where to go based on the MARK
nat table - POSTROUTING -
matches on the MARK and decides where to go from there
> 2. Outgoing connections from firewall machine:
> Same as (1) above, but different selection of port numbers
Output NAT is broken bad evil shocking die die die not currently functional.
> 3. Incoming connections via cipcb0:
> a) DNAT'd to relevant internal IP address
> b) Locally addressed (cipcb0 interface address) delivered locally.
WRT a), if you're talking about the connections that have been set up, then
SNAT already does that, otherwise both are trivial.
> 4. Incoming connections via eth1:
> a) a selection of destination port numbers to be DNAT'd to an internal
> machine. Reply packets for this connection to be sent via eth1
> with eth1's IP address.
Yep, DNAT automatically sets up a return rule.
> b) everything else delivered locally.
Yes.
> 5. eth0 - standard routing rules apply (locally addressed packets delivered
> locally, otherwise forwarded).
Yes.
> No matter what I do, I seem to end up with connections that use cipcb0 for
> incoming and eth1 with cipcb0's IP address for outgoing or connections that
> use eth1 for incoming and cipcb0 for outgoing with eth1's IP address.
>
> Obviously re-writing the source address on output depending on the interface
> is going to break everything, so is not an option. ;(
I think you just need to look into -j MARK and policy routing.
:) d
--
Daniel Stone <daniel@sfarc.net>
<Nuke> "can NE1 help me aim nuclear weaponz????? /MSG ME!!"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic