From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: "DNAT" w/o changing source address?
Date: Thu, 04 Oct 2007 14:33:44 -0500 [thread overview]
Message-ID: <47054018.3090809@riverviewtech.net> (raw)
In-Reply-To: <470506E5.6030605@riverviewtech.net>
On 10/04/07 10:29, Grant Taylor wrote:
> Do you need to even change the destination IP if you can somehow get the
> traffic over to the mail server? I'm still thinking bridging and
> EBTables. I'll think about this and get back to you with a proposed
> solution.
After some food and some thought, I am convinced that this can be done
with bridging and EBTables.
For the sake of conversation I'm going to assume that the NATing host
has or can have access to both VLANs. Let vlan0 be the vlan of the
router and NATing host and let vlan1 be the vlan of the real host that
you want to redirect the traffic to.
- Create a bridge bridge 'bri0' that has vlan0 and vlan1 as ports in it.
- Assign the NATing hosts IP address(s) to the bri0 interface.
- Create an EBTables rule in the BROUTING chain of the broute table
that looks for the following conditions:
- Proper ethernet protocol - IP
- Proper IP protocol - TCP and / or UDP
- Proper destination port
- Have said EBTables rule DNAT the traffic to the MAC address of the
real host that you want to redirect the traffic to.
- Have the IP address bound to an interface on the real host that you
want to redirect the traffic to.
- Create a second EBTables rule in the BROUTING chain of the broute
table that causes all other traffic to be routed like normal.
This will cause the NATing system to handle normal traffic while
redirecting the traffic to the real host on the MAC layer (2). Thus the
real host will receive the traffic in with the proper destination IP,
which it will know how to use. Thus the real host will have the IP in
question thus allowing traffic to originate from said IP back to the
original client with the proper source IP.
Heck, if you wanted to you could even do this before the traffic gets to
the NATing host. This way, you don't even have to have any thing
special on the NATing host. Thus both your NATing host and real host
could be any OS with an IP stack that you want them to be. The Linux
bridge with EBTables could take care of this before the traffic reaches
any system. (More on this later.)
Note: Some people would rather assign IP addresses to the physical
bridge port, but I prefer to use the logical bridge interface. It
really is up to you.
Grant. . . .
next prev parent reply other threads:[~2007-10-04 19:33 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-03 15:21 "DNAT" w/o changing source address? John Madden
2007-10-03 23:35 ` Grant Taylor
2007-10-03 23:50 ` Pascal Hambourg
2007-10-04 1:17 ` Grant Taylor
2007-10-04 13:14 ` John Madden
2007-10-04 13:14 ` John Madden
2007-10-04 14:09 ` Grant Taylor
2007-10-04 14:19 ` John Madden
2007-10-04 15:13 ` Grant Taylor
2007-10-04 14:17 ` Pascal Hambourg
2007-10-04 14:22 ` John Madden
2007-10-04 14:59 ` Pascal Hambourg
2007-10-04 15:13 ` John Madden
2007-10-04 15:29 ` Grant Taylor
2007-10-04 19:33 ` Grant Taylor [this message]
2007-10-04 16:01 ` Pascal Hambourg
2007-10-04 15:23 ` Grant Taylor
2007-10-04 15:52 ` Pascal Hambourg
2007-10-04 19:12 ` Grant Taylor
2007-10-04 19:25 ` John Madden
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47054018.3090809@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=gtaylor+reply@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.