From: "Jörg Harmuth" <harmuth@mnemon.de>
To: netfilter@lists.netfilter.org
Subject: Re: DNS and NAT
Date: Fri, 15 Jul 2005 10:53:17 +0200 [thread overview]
Message-ID: <42D7797D.2050203@mnemon.de> (raw)
In-Reply-To: <BAY17-F66FBC4C2BEA443DA8F48A80D10@phx.gbl>
Suzana Lojic-Skoric schrieb:
> I don't think proxy can help because it is just caching the web pages,
> it does not change the IP addresses. I'll check if tunneling can help,
> if not then I'll have to change iptables to inspect DNS answer and
> replace the IP in the payload.
No. Introducing a proxy at the right location, is much more than just
caching web sites. It means significant changes to at least to the IP
headers.
Wether a proxy helps you or not depends totally on where you place the
proxy. If you place it on the nat box (like primero said) or between
this nasty dropping box and the nat box, everything is probably fine.
The requests will then go to 10.x.x.x and the answers will originate
from 10.x.x.x. The e.g. google address of 216.239.39.99 is within the
*data* part of the 4th packet - not in the headers (headers are
src=10.y.y.y dst=10.x.x.x). As long as the nasty dropping box doesn't
scan the packets payload for proxy requests and the like and drops them,
everything should work.
If, on the other side, it is only possible to place the proxy between
the clients and this nasty dropping box, you're out of luck and a proxy
helps nothing at all. But as far as I understood - and you provided
information - you have access to the nat box. So, this should not be the
case.
BTW, would you please be so kind and provide sufficient information
about your problem in the first posting (introducing this nasty box
changes the whole situation) ? This way people who want to help you do
not have to feel like the "Oracle of Delphi" ;) Thanks.
Have a nice time,
Joerg
next prev parent reply other threads:[~2005-07-15 8:53 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-13 17:10 DNS and NAT Suzana Lojic-Skoric
2005-07-14 13:29 ` Jörg Harmuth
2005-07-14 15:50 ` Suzana Lojic-Skoric
2005-07-14 16:00 ` primero
2005-07-14 20:33 ` Suzana Lojic-Skoric
2005-07-15 8:53 ` Jörg Harmuth [this message]
2005-07-15 16:30 ` Suzana Lojic-Skoric
2005-07-15 16:45 ` R. DuFresne
2005-07-15 17:04 ` Suzana Lojic-Skoric
2005-07-15 18:52 ` Francesco Ciocchetti
2005-07-15 19:10 ` Suzana Lojic-Skoric
2005-07-15 19:51 ` Suzana Lojic-Skoric
-- strict thread matches above, loose matches on Subject: below --
2005-07-11 19:37 Suzana Lojic-Skoric
2005-07-11 19:41 ` Jason Opperisano
2005-07-11 20:33 ` Suzana Lojic-Skoric
2005-07-11 20:44 ` Jason Opperisano
2005-07-11 21:25 ` /dev/rob0
2005-07-11 21:36 ` Jan Engelhardt
2005-07-12 4:05 ` R. DuFresne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42D7797D.2050203@mnemon.de \
--to=harmuth@mnemon.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox