Crazy portmap request

All of lore.kernel.org
 help / color / mirror / Atom feed

* Crazy portmap request
@ 2005-06-30 22:56 Gary W. Smith
  2005-07-03 14:02 ` Jan Engelhardt
  0 siblings, 1 reply; 4+ messages in thread
From: Gary W. Smith @ 2005-06-30 22:56 UTC (permalink / raw)
  To: netfilter

Hello, 

I have a new challenge of trying to map some IP's to a single IP but
with a static port.  Here is a sample.

Given 1 externally public IP I need to publish the entire internal class
C subnet worth of machines using their internal static IP address but
mapping them to different ports.

Each workstation has a TCP processing running on a fixed port.  For all
intents and purposes let's say it's SMTP.  What I need to do, using the
single static IP address is map out a single port for each server behind
it.

So, given 10.99.0.x it we want something like this

10.99.0.1:25 = 199.199.80.41:30001
10.99.0.2:25 = 199.199.80.41:30002
...
10.99.0.250:25 = 199.199.80.41:30250

Is there a simple way to do this?  Currently we have a pre/post routing
line per entry.  Is there a better way?

Thanks, 

Gary Smith

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Crazy portmap request
  2005-06-30 22:56 Crazy portmap request Gary W. Smith
@ 2005-07-03 14:02 ` Jan Engelhardt
  2005-07-03 17:56   ` Gary W. Smith
  0 siblings, 1 reply; 4+ messages in thread
From: Jan Engelhardt @ 2005-07-03 14:02 UTC (permalink / raw)
  To: Gary W. Smith; +Cc: netfilter

>Hello, 
>
>I have a new challenge of trying to map some IP's to a single IP but
>with a static port.  Here is a sample.

You can't do that (at least at the same time). This is because:
What if the client-in-the-office makes two requests at the same time to the 
same service? (Classic example: SMB file sharing) Then you would have two 
distinct packets having the same single-IP-with-static-port on the source 
side, and IP-PORT on the destination side, e.g.

  client:1024  ->  fileserver:137
  client:1025  ->  fileserver:137

gets mapped to

  router:1999 -> fileserver:137
  router:1999 -> fileserver:137

and as you know, the uniqueness of a TCP connection is defined by the 
uniqueness of the tuple (srcip,srcport,dstip,dstport)

>Each workstation has a TCP processing running on a fixed port.  For all
>intents and purposes let's say it's SMTP.  What I need to do, using the
>single static IP address is map out a single port for each server behind
>it.
>
>So, given 10.99.0.x it we want something like this
>
>10.99.0.1:25 = 199.199.80.41:30001
>10.99.0.2:25 = 199.199.80.41:30002
>...
>10.99.0.250:25 = 199.199.80.41:30250
>
>Is there a simple way to do this?  Currently we have a pre/post routing
>line per entry.  Is there a better way?

Maybe I did not quite understand, but my first guess is -see above-.

For everything else, if it's only one connection at the same time,
  -t nat -A POSTROUTING -s 10.99.0.1 -p tcp --sport 25 -j SNAT
    --to-source 199.199.80.41:30001



Jan Engelhardt                                                               
--                                                                            
| Gesellschaft fuer Wissenschaftliche Datenverarbeitung Goettingen,
| Am Fassberg, 37077 Goettingen, www.gwdg.de


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Crazy portmap request
  2005-07-03 14:02 ` Jan Engelhardt
@ 2005-07-03 17:56   ` Gary W. Smith
  2005-07-05 13:01     ` Jan Engelhardt
  0 siblings, 1 reply; 4+ messages in thread
From: Gary W. Smith @ 2005-07-03 17:56 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: netfilter

I understand what you are saying for the purposes of outgoing connections.
What I am looking for is SNAT the external interface so I can cannect to a
single, set port, on all 200 machines from an external workstation.

Basically, I'm at home right now and I should be able to walk 200 different
ports on the one static IP address and be able to access each of the 200
different machines at the remote office.  This is a simplified example.

The reality is, there are some 100+ servers running different SOAP objects
via a particular port on the end servers that we need to have accessible
from an external address.  We have a limited number of static IP's and don't
really want to waste 100 of them on individual servers.

It works with the rules individually, but it ends up being about 800 rules
in the file.  I was just hoping to trim it down a little.

On 7/3/05 7:02 AM, "Jan Engelhardt" <jengelh@linux01.gwdg.de> wrote:

>> Hello, 
>> 
>> I have a new challenge of trying to map some IP's to a single IP but
>> with a static port.  Here is a sample.
> 
> You can't do that (at least at the same time). This is because:
> What if the client-in-the-office makes two requests at the same time to the
> same service? (Classic example: SMB file sharing) Then you would have two
> distinct packets having the same single-IP-with-static-port on the source
> side, and IP-PORT on the destination side, e.g.
> 
>   client:1024  ->  fileserver:137
>   client:1025  ->  fileserver:137
> 
> gets mapped to
> 
>   router:1999 -> fileserver:137
>   router:1999 -> fileserver:137
> 
> and as you know, the uniqueness of a TCP connection is defined by the
> uniqueness of the tuple (srcip,srcport,dstip,dstport)
> 
>> Each workstation has a TCP processing running on a fixed port.  For all
>> intents and purposes let's say it's SMTP.  What I need to do, using the
>> single static IP address is map out a single port for each server behind
>> it.
>> 
>> So, given 10.99.0.x it we want something like this
>> 
>> 10.99.0.1:25 = 199.199.80.41:30001
>> 10.99.0.2:25 = 199.199.80.41:30002
>> ...
>> 10.99.0.250:25 = 199.199.80.41:30250
>> 
>> Is there a simple way to do this?  Currently we have a pre/post routing
>> line per entry.  Is there a better way?
> 
> Maybe I did not quite understand, but my first guess is -see above-.
> 
> For everything else, if it's only one connection at the same time,
>   -t nat -A POSTROUTING -s 10.99.0.1 -p tcp --sport 25 -j SNAT
>     --to-source 199.199.80.41:30001
> 
> 
> 
> Jan Engelhardt   
> --               
> | Gesellschaft fuer Wissenschaftliche Datenverarbeitung Goettingen,
> | Am Fassberg, 37077 Goettingen, www.gwdg.de

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Crazy portmap request
  2005-07-03 17:56   ` Gary W. Smith
@ 2005-07-05 13:01     ` Jan Engelhardt
  0 siblings, 0 replies; 4+ messages in thread
From: Jan Engelhardt @ 2005-07-05 13:01 UTC (permalink / raw)
  To: Gary W. Smith; +Cc: netfilter


>Basically, I'm at home right now and I should be able to walk 200 different
>ports on the one static IP address and be able to access each of the 200
>different machines at the remote office.  This is a simplified example.

So you've got a "frontend" node with a ton of DNAT entries. Fine.

>It works with the rules individually, but it ends up being about 800 rules
>in the file.  I was just hoping to trim it down a little.

You could possible write yourself an enhanced DNAT that operates the way you 
want, i.e.

  dstaddr = 123.45.67.89
  dstport = 8000-9000

DNAT to:

  dstaddr = 10.0.0.[s-port]
  dstport = 7000



Jan Engelhardt                                                               
--                                                                            
| Alphagate Systems, http://alphagate.hopto.org/



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2005-07-05 13:01 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-06-30 22:56 Crazy portmap request Gary W. Smith
2005-07-03 14:02 ` Jan Engelhardt
2005-07-03 17:56   ` Gary W. Smith
2005-07-05 13:01     ` Jan Engelhardt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.