RFC 2694 and iptables

RFC 2694 and iptables

[Didier Tournier]

Hi,
I would like to build a dns alg with iptables.
The main role of a dns alg is to modify DNS response packet by replacing 
private IP address with public ones.

I ask anybody if it is a good idea to build a new module target and in 
this case if I have to rebuild the kernel or if I could build it in user 
space by using libipq?
Is there any litterature on how to add a new target module for iptables.

Thanks in advance for your help
Didier Tournier

French version :

Bonjour,

Je souhaite écrire un target pour iptables. Celle-ci remplira la 
fonction DNS-ALG pour IPV4.
La fonction principale de ce DNSALG sera de remplacer une adresse privée 
par une publique. (cf RFC 2694).

Pouvez vous me guider un peu sur les points suivant.

Si j'écris un module. dois-je obligatoirement recompiler le noyau ou 
puis je simplement écrire un shared object.
Ou puis je trouver des exemple de makefiles pour ce type de shared objects.
Qu'elle littérature me conseillez vous pour cet exercice?
Est il possible d'écrire une target en utilisant libipq?

Merci d'avance pour votre aide.
Didier Tournier
Gemplus Application research labs.

Re: RFC 2694 and iptables

[Kevin McConnell]

--- Didier Tournier <Didier.TOURNIER@gemplus.com>
wrote:
> Hi,
> I would like to build a dns alg with iptables.
> The main role of a dns alg is to modify DNS response
> packet by replacing 
> private IP address with public ones.

Before you go trying to implement this module, you do
of course realize that there isn't a need for this,
right? The current bind9 is perfectly capable of
coexisting on a host that has both RFC 1918 addresses
and real addresses, and depending on what clients ask
it for resolution, it can define a "view" of what the
internet/intranet should look like for them. Before
you go putting too much effort for this, please look
into seeing if this can solve what you are trying to
accomplish. If not, then please reword your statement
to explain what you are trying to do.


=====
Kevin C. McConnell --RHCE-- <Red Hat Certified Engineer>

__________________________________________________
Do you Yahoo!?
HotJobs - Search new jobs daily now
http://hotjobs.yahoo.com/

Re: RFC 2694 and iptables

[Didier Tournier]

Kevin,

I had a look to Bind9 documentation, but dont think that this will match 
our need.
Let me begin by explaining our need (with more details).
The application is a way to manage mobile servers in a private area.
We want to allow any client residing on the internet to connect any 
server in a private zone.
This could be done by using Bind9 but....
We also have to know that we have a lot of servers and only few public 
address (IPV4).
In the bind9 documentation I didn't saw the way to update the zone files 
dynamically (for the public adress of course), and the lonely way to 
predict a future connection can be done by the DNS itself.
(If there's a DNS query this is most of time to connect the host just 
after).
If I missed something in the Bind doc, let me know.
In the RFC 2694, the DNS request is used to predict that a connection 
will be required on a specific host, and to configure the NAT. The 
response TTL have also to be set (or reset) to 0.
Most of time, I compare that need with what a NAP-PT does, because 
there's a need for a DNS-ALG too.

So, my need is more technical about the way to build (compile and so on) 
such a module than other way to manage our need. So please if any of you 
could give me infos, it will be really usefull.

Didier Tournier

Re: RFC 2694 and iptables

[Kevin McConnell]

--- Didier Tournier <Didier.TOURNIER@gemplus.com>
wrote:

> The application is a way to manage mobile servers in
> a private area.
> We want to allow any client residing on the internet
> to connect any 
> server in a private zone.
> This could be done by using Bind9 but....
> We also have to know that we have a lot of servers
> and only few public 
> address (IPV4).
> In the bind9 documentation I didn't saw the way to
> update the zone files 
> dynamically (for the public adress of course), and
> the lonely way to 
> predict a future connection can be done by the DNS
> itself.

You mean that you want to be able to assign fully
qualified domain names to mobile hosts on the
internet, dynamically no matter where they connect
from but you want to be able to make sure that only
those hosts which are allowed to do this have
authority to do this. Does this sound correct? If so,
then you can do this without an IPtables module. Your
solution is to setup bind on the mobile hosts
themselves and allow them to connect to your
nameservers using rndc keys.

> If I missed something in the Bind doc, let me know.
> In the RFC 2694, the DNS request is used to predict
> that a connection 
> will be required on a specific host, and to
> configure the NAT. The 
> response TTL have also to be set (or reset) to 0.
> Most of time, I compare that need with what a NAP-PT
> does, because 
> there's a need for a DNS-ALG too.

Are you saying that your mobile hosts are going to
connect to your internal network using assigned RFC
1918 addresses via ppp or something like this... I am
still unsure of what you are trying to accomplish, but
I am sure that if you check out the bind-* lists you
might find some more useful help there....


=====
Kevin C. McConnell --RHCE-- <Red Hat Certified Engineer>

__________________________________________________
Do you Yahoo!?
HotJobs - Search new jobs daily now
http://hotjobs.yahoo.com/

Re: RFC 2694 and iptables

[Jean-Francois Dive]

Well, you're riht this does not look usefull in his case, but this
does not mean this is not usefull at all..

It may be used to interconnect with NAT to network which have the same
address space: make each network look at the other one as another 
network prefix than what it is. This sounds bad network design and
i agree, but this is a real world situation where, for exemple, 2 
mega corp's merges and changing the network prefix is not a feasable
thing. Off course, then, dns payload manipulation is usefull.

JeF

On Mon, Nov 04, 2002 at 10:10:17PM -0800, Kevin McConnell wrote:
> 
> --- Didier Tournier <Didier.TOURNIER@gemplus.com>
> wrote:
> > Hi,
> > I would like to build a dns alg with iptables.
> > The main role of a dns alg is to modify DNS response
> > packet by replacing 
> > private IP address with public ones.
> 
> Before you go trying to implement this module, you do
> of course realize that there isn't a need for this,
> right? The current bind9 is perfectly capable of
> coexisting on a host that has both RFC 1918 addresses
> and real addresses, and depending on what clients ask
> it for resolution, it can define a "view" of what the
> internet/intranet should look like for them. Before
> you go putting too much effort for this, please look
> into seeing if this can solve what you are trying to
> accomplish. If not, then please reword your statement
> to explain what you are trying to do.
> 
> 
> =====
> Kevin C. McConnell --RHCE-- <Red Hat Certified Engineer>
> 
> __________________________________________________
> Do you Yahoo!?
> HotJobs - Search new jobs daily now
> http://hotjobs.yahoo.com/

-- 

-> Jean-Francois Dive
--> jef@linuxbe.org

  There is no such thing as randomness.  Only order of infinite
  complexity.  - _The Holographic Universe_, Michael Talbot

RFC 2694 and iptables.

[Didier Tournier]

Hi,
I would like to build a dns alg with iptables.
The main role of a dns alg is to modify DNS response packet by replacing 
private IP address with public ones.

I ask anybody if it is a good idea to build a new module target and in 
this case if I have to rebuild the kernel or if I could build it in user 
space by using libipq?
Is there any litterature on how to add a new target module for iptables.

Thanks in advance for your help
Didier Tournier

French version :

Bonjour,

Je souhaite écrire un target pour iptables. Celle-ci remplira la 
fonction DNS-ALG pour IPV4.
La fonction principale de ce DNSALG sera de remplacer une adresse privée 
par une publique. (cf RFC 2694).

Pouvez vous me guider un peu sur les points suivant.

Si j'écris un module. dois-je obligatoirement recompiler le noyau ou 
puis je simplement écrire un shared object.
Ou puis je trouver des exemple de makefiles pour ce type de shared objects.
Qu'elle littérature me conseillez vous pour cet exercice?
Est il possible d'écrire une target en utilisant libipq?

Merci d'avance pour votre aide.
Didier Tournier
Gemplus Application research labs.