From: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
To: Andrew Dunstan <andrew@dunslane.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: SNAT multiple address allocation, connection tracking
Date: Mon, 14 Jun 2004 20:13:06 -0400 [thread overview]
Message-ID: <1087258386.2047.14.camel@localhost> (raw)
In-Reply-To: <40CE1F42.4030705@dunslane.net>
On Mon, 2004-06-14 at 17:57, Andrew Dunstan wrote:
> Hi,
>
> I have this problem.
>
> eth0 is internal network, eth1 is external network
> eth1 has a large set of additional virtual addresses
>
> all connections go from internal to external
>
> Third party app does this in fairly quick succession: telnet session,
> close, ftp (non-passive), close, pop3 session, close.
>
> The app needs each of these to get the same SNAT address (from the pool
> of virtual addresses) on the external interface, because at the other
> end some state is kept based on the IP address (crazy, I know, but true).
>
> However, if another host uses the same address it in effect clobbers the
> previous state, so each host (within some shortish period) needs to get
> a different address from any other host.
>
> My reading suggests that SNAT with a range does some sort of round robin
> or LRU on a per connection basis, rather than reusing an address that
> the same host recently used. Is this correct?
>
> I can't nail the addresses up, because some will be DHCPd hosts from a
> larger pool than I have available.
>
> Can someone please suggest a combination of modules and rules that will
> do what I need?
>
> TIA
>
> andrew
Ouch! That's a tough one. If it were not for the address pool mismatch,
you could use the NETMAP patch. The only thought that comes immediately
to mind is to move the application to some shared pool of virtual
servers. That is, set up some number of terminal servers /thin client
hosts with addresses that are mapped one-to-one through NETMAP and have
users access the application through some thin client mechanism.
If the likelihood of simultaneous access is remote, I suppose one could
nail up all the addresses with one SNAT each (yuch!) even if there is
some duplication but I hate solutions where I know success is a matter
of probability and not predetermined based upon sound engineering!
I'll be curious to see what some of the more experienced folks with more
think time come up with short of writing some custom helper module -
John
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
prev parent reply other threads:[~2004-06-15 0:13 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-14 21:57 SNAT multiple address allocation, connection tracking Andrew Dunstan
2004-06-15 0:13 ` John A. Sullivan III [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1087258386.2047.14.camel@localhost \
--to=john.sullivan@nexusmgmt.com \
--cc=andrew@dunslane.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox