From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matin Tamizi Subject: Re: Stateless NAT Date: Thu, 28 Jul 2005 16:54:51 -0400 Message-ID: References: <9D532201-8173-474B-8281-1FA274AFC243@cuseeme.de> Reply-To: Matin Tamizi Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: NetFilter Cc: Dharanikanth Dugginni On 7/28/05, Dharanikanth Dugginni wrote: > Hello Matin, >=20 > I saw a post from you about Stateless NAT in linux and you concluded > saying you found some solution, I am trying to do some thing similar > to that, would you mind sharing the approach you have taken?? >=20 > Thanks, > -Dhar >=20 I had a *real* special situation since I'm doing this just for a testbed. I was able to get around stateless NAT by using ARP poisoning to force a certain network topology. This approach will work but is not scalable and not recommended. IMHO, you have the following options: 1. Use a different firewall -- I'm sure you've heard suggestion before. 2. Create a target module -- I couldn't figure out how to do this for a static NAT, so please let me know if you do 3. QUEUE the packets you want to NAT and use libipq to do the static NATin= g 4. ARP poisoning (spoofing) Let me know if you want me to post more information about 3 or 4. -Matin