Forcing source port with NAT

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Forcing source port with NAT
@ 2003-06-23 20:02 Jason White
  2003-06-23 21:44 ` Jason White
  0 siblings, 1 reply; 4+ messages in thread
From: Jason White @ 2003-06-23 20:02 UTC (permalink / raw)
  To: netfilter

Greetings,                                                                      
  I have an application, Zephyr Messaging Service, which uses a client          
application that sends out UDP packets on port 2104.  The Zephyr server         
will refuse packets from the client if the source address is not 2104.          
I want to run this application behind a NAT on one given machine.  I            
need a way to ensure that packets from this one machine with a source           
address of 2104 go through the NAT that they emerge on port 2104 of the         
external ip address.  To diagram a packet:                                      

[Intenal machine-10.0.0.2:2104] --> [NAT internal: 10.0.0.1] -->                
  [NAT external: 200.200.200.200: 2104] --> ///internet/// ...                  

Basically, I need to ensure that anything coming in on 200.200.200.200:2104     
goes to 10.0.0.2:2104 and anything going out from 10.0.0.2:2104 goes out        
200.200.200.200:2104.                                                           

I know how to map the external to internal, but internal to external            
isn't immediately obvious                                                       

Thanks,                                                                         
-Jason        

-- 
Jason White (jdw-netfilter@jdwhite.org)  http://www.jdwhite.org/~jdwhite
Jabber:jdwhite@jabber.org  IRC:irc.netbsd.org/{jdwhite,jdw}
AIM:jdwhite90125  Yahoo:jdwhite89  ICQ:9295078  MSN:jdwhite89@hotmail.com
GPG KeyID: 0x74CF850D/1F57 465A 1357 BA39 2BEF  5629 6E1C 2B20 74CF 850D

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Forcing source port with NAT
  2003-06-23 20:02 Forcing source port with NAT Jason White
@ 2003-06-23 21:44 ` Jason White
  0 siblings, 0 replies; 4+ messages in thread
From: Jason White @ 2003-06-23 21:44 UTC (permalink / raw)
  To: netfilter

On Mon, Jun 23, 2003 at 03:02PM -0500, Jason White wrote:
[...]
>Basically, I need to ensure that anything coming in on 200.200.200.200:2104
>goes to 10.0.0.2:2104 and anything going out from 10.0.0.2:2104 goes out
>200.200.200.200:2104.
[...]

  Answering my own post, the following worked:

iptables -t nat -A POSTROUTING -p udp -s 10.0.0.2 --sport 2104 -j SNAT
  --to 200.200.200.200:2104

-- 
Jason White (jdw-netfilter@jdwhite.org)  http://www.jdwhite.org/~jdwhite
Jabber:jdwhite@jabber.org  IRC:irc.netbsd.org/{jdwhite,jdw}
AIM:jdwhite90125  Yahoo:jdwhite89  ICQ:9295078  MSN:jdwhite89@hotmail.com
GPG KeyID: 0x74CF850D/1F57 465A 1357 BA39 2BEF  5629 6E1C 2B20 74CF 850D


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Forcing source port with NAT
@ 2003-06-23 19:54 Jason White
  2003-06-24 15:37 ` Ramin Dousti
  0 siblings, 1 reply; 4+ messages in thread
From: Jason White @ 2003-06-23 19:54 UTC (permalink / raw)
  To: netfilter

Greetings,
  I have an application, Zephyr Messaging Service, which uses a client
application that sends out UDP packets on port 2104.  The Zephyr server
will refuse packets from the client if the source address is not 2104.
I want to run this application behind a NAT on one given machine.  I
need a way to ensure that packets from this one machine with a source
address of 2104 go through the NAT that they emerge on port 2104 of the
external ip address.  To diagram a packet:

[Intenal machine-10.0.0.2:2104] --> [NAT internal: 10.0.0.1] -->
  [NAT external: 200.200.200.200: 2104] --> ///internet/// ...

Basically, I need to ensure that anything coming in on 200.200.200.200:2104
goes to 10.0.0.2:2104 and anything going out from 10.0.0.2:2104 goes out
200.200.200.200:2104.

I know how to map the external to internal, but internal to external
isn't immediately obvious

Thanks,
-Jason

-- 
Jason White (jdwhite@jdwhite.org)  http://www.jdwhite.org/~jdwhite
Jabber:jdwhite@jabber.org  IRC:irc.netbsd.org/{jdwhite,jdw}
AIM:jdwhite90125  Yahoo:jdwhite89  ICQ:9295078  MSN:jdwhite89@hotmail.com
GPG KeyID: 0x74CF850D/1F57 465A 1357 BA39 2BEF  5629 6E1C 2B20 74CF 850D

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Forcing source port with NAT
  2003-06-23 19:54 Jason White
@ 2003-06-24 15:37 ` Ramin Dousti
  0 siblings, 0 replies; 4+ messages in thread
From: Ramin Dousti @ 2003-06-24 15:37 UTC (permalink / raw)
  To: netfilter

On Mon, Jun 23, 2003 at 02:54:59PM -0500, Jason White wrote:

> Greetings,
>   I have an application, Zephyr Messaging Service, which uses a client
> application that sends out UDP packets on port 2104.  The Zephyr server
> will refuse packets from the client if the source address is not 2104.
> I want to run this application behind a NAT on one given machine.  I
> need a way to ensure that packets from this one machine with a source
> address of 2104 go through the NAT that they emerge on port 2104 of the
> external ip address.  To diagram a packet:
> 
> [Intenal machine-10.0.0.2:2104] --> [NAT internal: 10.0.0.1] -->
>   [NAT external: 200.200.200.200: 2104] --> ///internet/// ...
> 
> Basically, I need to ensure that anything coming in on 200.200.200.200:2104
> goes to 10.0.0.2:2104 and anything going out from 10.0.0.2:2104 goes out
> 200.200.200.200:2104.
> 
> I know how to map the external to internal, but internal to external
> isn't immediately obvious

For incoming:

iptables -t nat -A PREROUTING -i <ext-int> -p udp \
         --dport 2104 --sport 2104 \
         -s <external-Zephyr> -d 200.200.200.200  \
         -j DNAT 10.0.0.2:2104

For outgoing:

iptables -t nat -A POSTROUTING -o <ext-int> -p udp \
         --dport 2104 --sport 2104 \
         -s 10.0.0.2 -d <external-Zephyr>  \
         -j SNAT 200.200.200.200:2104

There is one small (or maybe not very small) point to note: Since this
setup has a symertic sport-dport for both incoming and outgoing initiations,
if the timeout of this conntrack has not been expired for a given conntrack,
the other direction of the packet flow (within the timeout window) would be
folded into the existing conntrack, which should be harmless, IMHO.

Ramin


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2003-06-24 15:37 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-06-23 20:02 Forcing source port with NAT Jason White
2003-06-23 21:44 ` Jason White
  -- strict thread matches above, loose matches on Subject: below --
2003-06-23 19:54 Jason White
2003-06-24 15:37 ` Ramin Dousti

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox