NAT with forwarding to multiple destinations

NAT with forwarding to multiple destinations

[Alberto Quattrini Li]

Hi,

I would like to know if there is any way by using NAT feature to
forward a message to multiple destinations. I know that there is the
package TEE, but that works at IP level, and so you can duplicate the
packet to another host (i.e. specifying another address, but not the
port). Moreover I know that specifying a range of port in
to-destination just load-balances the traffic flow within that range,
so that solution doesn't work.

For example, let's say that I have a server that wants to broadcast a
message to different clients on the same machine (so identified by
localhost:port; each client has different port obviously).
So it would be very easy if the server can send the message to the
"broadcast port" and when netfilter intercepts it, by matching that
broadcast port as destination port, netfilter would forward it to
destinations specified by the rule.

Thanks
Alberto

Re: NAT with forwarding to multiple destinations

[Alberto Quattrini Li]

Sorry I didn't specify it. Of course I use UDP protocol, so it is
connectionless.

Alberto


On Thu, Dec 2, 2010 at 1:46 PM, Giles Coochey <giles@coochey.net> wrote:
> On 02/12/2010 13:38, Alberto Quattrini Li wrote:
>
> Hi,
>
> I would like to know if there is any way by using NAT feature to
> forward a message to multiple destinations. I know that there is the
> package TEE, but that works at IP level, and so you can duplicate the
> packet to another host (i.e. specifying another address, but not the
> port). Moreover I know that specifying a range of port in
> to-destination just load-balances the traffic flow within that range,
> so that solution doesn't work.
>
> For example, let's say that I have a server that wants to broadcast a
> message to different clients on the same machine (so identified by
> localhost:port; each client has different port obviously).
> So it would be very easy if the server can send the message to the
> "broadcast port" and when netfilter intercepts it, by matching that
> broadcast port as destination port, netfilter would forward it to
> destinations specified by the rule.
>
> Maybe you just want multi-cast.
>
> You couldn't do this with connection based protocols such as TCP as you need
> to handle each connection differently at higher layers.
>
> --
> Best Regards,
>
> Giles Coochey
> NetSecSpec Ltd
> Email/MSN/Live Messenger: giles@coochey.net
> Skype: gilescoochey
>
>

Re: NAT with forwarding to multiple destinations

[Jan Engelhardt]

On Thursday 2010-12-02 13:38, Alberto Quattrini Li wrote:

>Hi,
>
>I would like to know if there is any way by using NAT feature to
>forward a message to multiple destinations. I know that there is the
>package TEE, but that works at IP level, and so you can duplicate the
>packet to another host (i.e. specifying another address, but not the
>port). Moreover I know that specifying a range of port in
>to-destination just load-balances the traffic flow within that range,
>so that solution doesn't work.
>
>For example, let's say that I have a server that wants to broadcast a
>message to different clients on the same machine (so identified by
>localhost:port; each client has different port obviously).
>So it would be very easy if the server can send the message to the
>"broadcast port" and when netfilter intercepts it, by matching that
>broadcast port as destination port, netfilter would forward it to
>destinations specified by the rule.

NAT does not do forwarding, and neither does Netfilter - routing will.

The multiplexing you want is probably best done with a program that does 
just that - think of sprucing up rinetd.

Re: NAT with forwarding to multiple destinations

[Alberto Quattrini Li]

> NAT does not do forwarding, and neither does Netfilter - routing will.
I know that, but it works with just IP addresses, and not port.

> The multiplexing you want is probably best done with a program that does
> just that - think of sprucing up rinetd.
As far as I know, all of the programs like that are programs that run
as a process in the middle, so it introduces an overhead (because they
are in userspace and have to receive the packet and then process it
and finally forward it), whereas if it was processed by netfilter it
would be quicker and more efficient (actually some testing and
comparisons should be done, but in principle it ought to be so).

However it seems that there doesn't exist any solution in netfilter.
Can you give me a reference (e.g. documentation and guides) to patch
netfilter with such functionality?

Alberto

Re: NAT with forwarding to multiple destinations

[Jan Engelhardt]

On Thursday 2010-12-02 16:17, Alberto Quattrini Li wrote:

>> The multiplexing you want is probably best done with a program that does
>> just that - think of sprucing up rinetd.
>
>As far as I know, all of the programs like that are programs that run
>as a process in the middle, so it introduces an overhead (because they
>are in userspace and have to receive the packet and then process it
>and finally forward it), whereas if it was processed by netfilter it
>would be quicker and more efficient (actually some testing and
>comparisons should be done, but in principle it ought to be so).
>
>However it seems that there doesn't exist any solution in netfilter.
>Can you give me a reference (e.g. documentation and guides) to patch
>netfilter with such functionality?

You could write your own extension, based upon xt_TEE.

Re: NAT with forwarding to multiple destinations

[Reuben Martin]

I appoligize that this reply will probably not thread correctly, I just joined this list because I'm also looking for something like this. So I'm just pasting this from the web archive...

On Friday 2010-12-03 15:28:52, Jan Engelhardt wrote:
>On Thursday 2010-12-02 16:17, Alberto Quattrini Li wrote:
>
>>> The multiplexing you want is probably best done with a program that does
>>> just that - think of sprucing up rinetd.
>>
>>As far as I know, all of the programs like that are programs that run
>>as a process in the middle, so it introduces an overhead (because they
>>are in userspace and have to receive the packet and then process it
>>and finally forward it), whereas if it was processed by netfilter it
>>would be quicker and more efficient (actually some testing and
>>comparisons should be done, but in principle it ought to be so).
>>
>>However it seems that there doesn't exist any solution in netfilter.
>>Can you give me a reference (e.g. documentation and guides) to patch
>>netfilter with such functionality?

I'm looking for something like this as well. Specifically I need to be able to create a rule that will take packets sent to a given specified address & port and forward them to either an ip range or and ipset. An ipset is preferred because that way the destinations can be dynamically changed. I've tried several reflectors/forwarders and they generally suck. Futhermore none of them are dynamic (that I have found at least) And of course this limiting something like this to datagram packets would probably be a smart precaution.

Has anybody come up with something for this? I'm nowhere near competent enough to tackle something like this on my own. I'm a lousy hack. Basically my need for this is to be able to send a live rtp video stream to a dynamically changing group of unicast destinations. But changing destinations means stopping and restarting the stream. Doing this outside the streaming app gets around this. Multicasting is of course a great solution, but I have to hook into other peoples networks where I have no control over rules and layout, and there is rarely multicast support. And even where there is multicast support, I sometimes have to send through VPNs or subnet gateways where the multicast wouldn't reach anyway.


>
>You could write your own extension, based upon xt_TEE.