From mboxrd@z Thu Jan 1 00:00:00 1970 From: Brian Austin - Standard Universal Subject: Re: Anyone achieved BSD natd(8) compatibility with Linux netfilter or Solaris ipf - ie. single-address-on-same-interface bidirectional mapping to DMZ private subnet ? Date: Sun, 17 May 2009 18:14:02 +1000 Message-ID: <4A0FC74A.4080503@standarduniversal.com.au> References: <102f5c010905151710m7bf674e9s6abb5d36b8c4fcca@mail.gmail.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <102f5c010905151710m7bf674e9s6abb5d36b8c4fcca@mail.gmail.com> Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Jason Vas Dias Cc: netfilter@vger.kernel.org Hi, this seems very simple, google for source nat, destination nat and masquerade http://www.howtoforge.com/internet-connection-sharing-masquerading-on-linux portforwarding is also rather simple. regards Brian Jason Vas Dias wrote: > Hi - > > This is my first post to this list, so please excuse me if I miss something or > if this is an inappropriate posting for this list. > > Question : > > I am trying to replace an ancient MacOSX box, whose natd(8) does a > really great job of > "Connection Sharing" - becoming a router for the "External Internet" > to my local LAN > subnet whose addresses it has provided with DHCP ( 192.168.2.2 - 4 ) . > > So natd(8) maps the IP source address in packets originating from the > local 192.168.2.{2,3.4} subnet > that appear from the en0 interface, to the external internet address > given to the single interface en0 by > my DSL modem , and sends such packets out on en0 with the destination > address and port mapped back > to natd's address and port on the external internet . natd(8) > maintains a table of all such packets sent > out to the external internet, such that when a response for such a > packet it received, the destination > IP address is mapped back to the original packet originator, and is > then sent back out on en0 to the > local DMZ subnet host that originated it, as in this diagram : > > MacOS Host: > single IP interface en0: > ipv4 address 192.168.2.1 > ipv4 address 66.68.31.192 (assigned from DSL router) > natd: > listens on 66.68.31.192:natd > bootpd: > listens on 192.168.2.1:bootps > > DMZ hosts: 192.168.2.2, 192.168.2.3, 192.168.2.4 > > All these hosts are connected to the same hub, whose uplink cable is > connected to the DSL Router. > > natd(8) reads a raw socket to receive every packet that is received > on interface en0. > When a packet is received from a 192.168.2.x source address with a > destination address > that is not in subnet 192.168.2/24 , it replaces the 192.168.2/24 > address with 66.68.31.192, > and the destination address and port with 66.68.31.192:natd , and > sends the packet back out on en0; > the DSL router sends such packets on to the external internet, and > the external internet host sends > responses back to 66.68.31.192:natd; natd can then use the packet > identifiers it generated > for the request packets to the response packet (it could even use a > separate port to receive > response packets for each separate DMZ host, so the mapping > becomes trivial). > > My question is : how can this be achieved with Linux netfilter or > Solaris IP Filter / ipnat(4) ? > I have either a Solaris host or Linux host I can use for this job. The > old MacOSX ppc32 host is > too slow, and does not support more than two other hosts on the DMZ . > > What I don't understand from the netfilter / ipfilter documentation is > precisely how a response > from the external internet , whit a destination IP + port on the > gateway , is translated into a response > for a DMZ host in the same way as netd does. > > I have looked at the open-source firestarter project, which can > construct NAT rules to do this for a gateway > host with two physical interfaces, but all my hosts have only one > physical ethernet interface. > > Could anyone please explain how response packets can be routed back to > the DMZ host with Linux netfilter or Solaris ipfilter rules ? > > Thanks in advance, > Jason. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >