netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Derek Ng <derek@rentec.com>
To: netfilter-devel@vger.kernel.org
Subject: destination NAT suggestion
Date: Wed, 7 Jan 2009 17:20:42 -0500	[thread overview]
Message-ID: <200901071720.42864.derek@rentec.com> (raw)

Hello,

Currently, iptables has the following behavior:

1) Packet enters to the incoming interface
2) Check the INPUT rules
3) Prerouting NAT check and perform source NAT
4) Check the FORWARD rules
5) Postrouting NAT check and perform destination NAT
6) Check the OUTPUT rules

The above flow has a limitation when performing the NAT.  SNAT can only be 
performed under PREROUTING chain and DNAT can only be done on POSTROUTING 
NAT.  It would be great if this limitation is removed.

Reasons:
1) Gain more control on routing table
	a) The host's routing table would be cleaner, no matter what the destination 
networks are.
2) More flexible and more competitive
	a) Engineer can design a cleaner and securer Linux firewalls and be creative
	b) Easier for troubleshooting when the routing table is clean
	c) More competitive to Cisco IOS NAT features (Inside Global, Inside Local, 
Outside Local, Outside Global)

Senario Example:
1) Assume the web servers IP addresses for yahoo and google as the following
	a) Yahoo: 10.10.10.1
	b) Google: 10.10.10.1
2) The firewall has three interfaces
	a) Inside LAN (172.16.0.0/24 network)
	b) Yahoo direct line (next hop IP is 192.168.1.1)
	c) Google direct line (next hop IP is 192.168.1.2)
3) iptables DNAT
	a) 172.16.1.1 > 10.10.10.1
	b) 172.16.1.2 > 10.10.10.1
3) Current Limitation
	a) Inside host tries to connect to Yahoo web server, 172.16.1.1.
	b) iptables receives the packet and performs the prerouting DNAT 172.16.1.1 > 
10.10.10.1
	c) Based on the 10.10.10.1 destination, the host will try to forward the 
packet based on the routing table, which can only point to 192.168.1.1 or 
192.168.1.2.
	d) Routing table.
		Either	1) 10.10.10.1 192.168.1.1 255.255.255.255 eth1
		or 		2) 10.10.10.1 192.168.1.2 255.255.255.255 eth2
4) Without the current limitation
	a) Inside host tries to connect to Yahoo web server, 172.16.1.1
	b) Host receives the packet and forward it to the outside interface based on 
the routing table.
	c) iptables performs the postrouting DNAT before sending it out to the next 
hop 192.168.1.1, 172.16.1.1 > 10.10.10.1
	d) Routing table.
		172.16.1.1 192.168.1.1 255.255.255.255 eth1
		172.16.1.2 192.168.1.2 255.255.255.255 eth2

If you need further information, please feel free to contact me at 
631-246-7626 or email me at derek@rentec.com

Thank you very much!

Sincerely,
Derek Ng

                 reply	other threads:[~2009-01-07 22:39 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200901071720.42864.derek@rentec.com \
    --to=derek@rentec.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).