Re: Stateless NAT in 2.6 (was Re: UDP Forwarding)

[Philip Craig <philipc@snapgear.com>]

Hi John,

John A. Sullivan III wrote:
> On Tue, 2005-02-22 at 16:18 +0800, Ming-Ching Tiew wrote:
> 
>>>> I would like to find a way to do this with the
>>>>CyberGuard devices.  I do not have the option of installing a UDP helper
>>>>so I have to do this with iptables or iproute.
>>>>
>>
>>Trying to understand your problem :-
>>
>>Why is the option of installing a UDP helper is out ? Is it because
>>the can't compile C programs and install any program on these 
>>cyberguard devices? And you can only write scripts ?
>>
> 
> <snip>
> Yes, exactly.  They are very small footprint appliances running ucLinux
> and I would not want to void any warranties by cross compiling and
> adding binaries to the image.  Thanks for such a quick response - John

Customizing the firmware won't void the warranty per se.  The problem
is that our support processes cannot handle units with custom firmware
in them, so if you have a problem with the unit, we require that you
reinstall the standard firmware before contacting support.

So adding a UDP helper isn't too hard if you don't mind cross compiling
it and recreating the firmware image.  If you want to go this route,
then you can find the source code on www.snapgear.org.

Alternatively, we currently only ship Linux 2.4 firmware, so you could
use the stateless NAT in the ip route command.  Unfortunately we've only
enabled this for the high-end units, thinking very few people would
have a use for it when we already have iptables NAT.  So again, you
may have build your firmware image.

It's probably possible to write an iptables mangle target to perform
stateless NAT, but it doesn't exist yet that I am aware of.

-- 
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com