Forcing source port with NAT

Forcing source port with NAT

[Jason White]

Greetings,
  I have an application, Zephyr Messaging Service, which uses a client
application that sends out UDP packets on port 2104.  The Zephyr server
will refuse packets from the client if the source address is not 2104.
I want to run this application behind a NAT on one given machine.  I
need a way to ensure that packets from this one machine with a source
address of 2104 go through the NAT that they emerge on port 2104 of the
external ip address.  To diagram a packet:

[Intenal machine-10.0.0.2:2104] --> [NAT internal: 10.0.0.1] -->
  [NAT external: 200.200.200.200: 2104] --> ///internet/// ...

Basically, I need to ensure that anything coming in on 200.200.200.200:2104
goes to 10.0.0.2:2104 and anything going out from 10.0.0.2:2104 goes out
200.200.200.200:2104.

I know how to map the external to internal, but internal to external
isn't immediately obvious

Thanks,
-Jason

-- 
Jason White (jdwhite@jdwhite.org)  http://www.jdwhite.org/~jdwhite
Jabber:jdwhite@jabber.org  IRC:irc.netbsd.org/{jdwhite,jdw}
AIM:jdwhite90125  Yahoo:jdwhite89  ICQ:9295078  MSN:jdwhite89@hotmail.com
GPG KeyID: 0x74CF850D/1F57 465A 1357 BA39 2BEF  5629 6E1C 2B20 74CF 850D

Forcing source port with NAT

[Jason White]

Greetings,                                                                      
  I have an application, Zephyr Messaging Service, which uses a client          
application that sends out UDP packets on port 2104.  The Zephyr server         
will refuse packets from the client if the source address is not 2104.          
I want to run this application behind a NAT on one given machine.  I            
need a way to ensure that packets from this one machine with a source           
address of 2104 go through the NAT that they emerge on port 2104 of the         
external ip address.  To diagram a packet:                                      
                                                                                
[Intenal machine-10.0.0.2:2104] --> [NAT internal: 10.0.0.1] -->                
  [NAT external: 200.200.200.200: 2104] --> ///internet/// ...                  
                                                                                
Basically, I need to ensure that anything coming in on 200.200.200.200:2104     
goes to 10.0.0.2:2104 and anything going out from 10.0.0.2:2104 goes out        
200.200.200.200:2104.                                                           

I know how to map the external to internal, but internal to external            
isn't immediately obvious                                                       
                                                                                
Thanks,                                                                         
-Jason        

-- 
Jason White (jdw-netfilter@jdwhite.org)  http://www.jdwhite.org/~jdwhite
Jabber:jdwhite@jabber.org  IRC:irc.netbsd.org/{jdwhite,jdw}
AIM:jdwhite90125  Yahoo:jdwhite89  ICQ:9295078  MSN:jdwhite89@hotmail.com
GPG KeyID: 0x74CF850D/1F57 465A 1357 BA39 2BEF  5629 6E1C 2B20 74CF 850D

Re: Forcing source port with NAT

[Jason White]

On Mon, Jun 23, 2003 at 03:02PM -0500, Jason White wrote:
[...]
>Basically, I need to ensure that anything coming in on 200.200.200.200:2104
>goes to 10.0.0.2:2104 and anything going out from 10.0.0.2:2104 goes out
>200.200.200.200:2104.
[...]

  Answering my own post, the following worked:

iptables -t nat -A POSTROUTING -p udp -s 10.0.0.2 --sport 2104 -j SNAT
  --to 200.200.200.200:2104

-- 
Jason White (jdw-netfilter@jdwhite.org)  http://www.jdwhite.org/~jdwhite
Jabber:jdwhite@jabber.org  IRC:irc.netbsd.org/{jdwhite,jdw}
AIM:jdwhite90125  Yahoo:jdwhite89  ICQ:9295078  MSN:jdwhite89@hotmail.com
GPG KeyID: 0x74CF850D/1F57 465A 1357 BA39 2BEF  5629 6E1C 2B20 74CF 850D

Re: Forcing source port with NAT

[Ramin Dousti]

On Mon, Jun 23, 2003 at 02:54:59PM -0500, Jason White wrote:

> Greetings,
>   I have an application, Zephyr Messaging Service, which uses a client
> application that sends out UDP packets on port 2104.  The Zephyr server
> will refuse packets from the client if the source address is not 2104.
> I want to run this application behind a NAT on one given machine.  I
> need a way to ensure that packets from this one machine with a source
> address of 2104 go through the NAT that they emerge on port 2104 of the
> external ip address.  To diagram a packet:
> 
> [Intenal machine-10.0.0.2:2104] --> [NAT internal: 10.0.0.1] -->
>   [NAT external: 200.200.200.200: 2104] --> ///internet/// ...
> 
> Basically, I need to ensure that anything coming in on 200.200.200.200:2104
> goes to 10.0.0.2:2104 and anything going out from 10.0.0.2:2104 goes out
> 200.200.200.200:2104.
> 
> I know how to map the external to internal, but internal to external
> isn't immediately obvious

For incoming:

iptables -t nat -A PREROUTING -i <ext-int> -p udp \
         --dport 2104 --sport 2104 \
         -s <external-Zephyr> -d 200.200.200.200  \
         -j DNAT 10.0.0.2:2104

For outgoing:

iptables -t nat -A POSTROUTING -o <ext-int> -p udp \
         --dport 2104 --sport 2104 \
         -s 10.0.0.2 -d <external-Zephyr>  \
         -j SNAT 200.200.200.200:2104

There is one small (or maybe not very small) point to note: Since this
setup has a symertic sport-dport for both incoming and outgoing initiations,
if the timeout of this conntrack has not been expired for a given conntrack,
the other direction of the packet flow (within the timeout window) would be
folded into the existing conntrack, which should be harmless, IMHO.

Ramin