* Re: SNAT & DNAT
[not found] <20041018152033.C85228A3C0@bne-mail01.vector.net.au>
@ 2004-10-19 23:54 ` Clayton Russell
0 siblings, 0 replies; 2+ messages in thread
From: Clayton Russell @ 2004-10-19 23:54 UTC (permalink / raw)
To: netfilter
Lee Evans wrote:
> Hi,
>
> Sorry if this has been asked before in some other guise - I looked through
> the archives but couldn't spot anything (or a search feature..)
>
> I'm going to be implementing a gateway system using IPTables, which will
> need to perform both DNAT & SNAT on incoming connections.
>
> The reason being that I want to provide external access to systems on a LAN
> which do not have a default gateway (and nor do I want them to have one).
>
> The connections will come in to the public IP of the gateway and be DNAT'ed
> to the internal IP PREROUTING, and then SNAT'ed to the gateway's private IP
> POSTROUTING so that the internal systems have a route out for reply traffic.
>
> I've tested this on a small test-network but before I try to roll it out on
> a larger scale, are there any issues with doing this that I should be aware
> of?
>
> Thanks
> Lee
>
>
Hi Lee,
I have had problems with this in the past with strange protocols which
the connection tracking does not recognise as related. For example, xdm
over this arrangment has some initial udp communication to organise the
X connection, then the client side (LAN in your case) initiates a TCP
connection to the server. In this scenario the fw does not recognise
the tcp connection as related to the udp connection, and does not know
how to NAT this packet.
This is a fairly strange example though, things like telnet, web etc all
worked fine.
Hope this helps,
Clayton
--
Clayton Russell
Systems Administrator
Vector Networks Pty Ltd
em: clayton.russell@vector.net.au
wb: www.vector.net.au
ph: +61 7 3236 9328
^ permalink raw reply [flat|nested] 2+ messages in thread
* SNAT & DNAT
@ 2004-10-18 14:46 Lee Evans
0 siblings, 0 replies; 2+ messages in thread
From: Lee Evans @ 2004-10-18 14:46 UTC (permalink / raw)
To: netfilter
Hi,
Sorry if this has been asked before in some other guise - I looked through
the archives but couldn't spot anything (or a search feature..)
I'm going to be implementing a gateway system using IPTables, which will
need to perform both DNAT & SNAT on incoming connections.
The reason being that I want to provide external access to systems on a LAN
which do not have a default gateway (and nor do I want them to have one).
The connections will come in to the public IP of the gateway and be DNAT'ed
to the internal IP PREROUTING, and then SNAT'ed to the gateway's private IP
POSTROUTING so that the internal systems have a route out for reply traffic.
I've tested this on a small test-network but before I try to roll it out on
a larger scale, are there any issues with doing this that I should be aware
of?
Thanks
Lee
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-10-19 23:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20041018152033.C85228A3C0@bne-mail01.vector.net.au>
2004-10-19 23:54 ` SNAT & DNAT Clayton Russell
2004-10-18 14:46 Lee Evans
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.