Re: DNS and NAT

[Francesco Ciocchetti <primero@fastwebnet.it>]

Suzana Lojic-Skoric wrote:

>
>
>> From: Jörg Harmuth <harmuth@mnemon.de>
>> To: netfilter@lists.netfilter.org
>> Subject: Re: DNS and NAT
>> Date: Fri, 15 Jul 2005 10:53:17 +0200
>>
>> Suzana Lojic-Skoric schrieb:
>>
>> > I don't think proxy can help because it is just caching the web pages,
>> > it does not change the IP addresses. I'll check if tunneling can help,
>> > if not then I'll have to change iptables to inspect DNS answer and
>> > replace the IP in the payload.
>>
>> No. Introducing a proxy at the right location, is much more than just
>> caching web sites. It means significant changes to at least to the IP
>> headers.
>>
>> Wether a proxy helps you or not depends totally on where you place the
>> proxy. If you place it on the nat box (like primero said) or between
>> this nasty dropping box and the nat box, everything is probably fine.
>> The requests will then go to 10.x.x.x and the answers will originate
>> from 10.x.x.x. The e.g. google address of 216.239.39.99 is within the
>> *data* part of the 4th packet - not in the headers (headers are
>> src=10.y.y.y dst=10.x.x.x). As long as the nasty dropping box doesn't
>> scan the packets payload for proxy requests and the like and drops them,
>> everything should work.
>
>
> I can put the proxy on the NAT machine.
> As I said, right now just with the NAT, if I send a DNS request for 
> the google.com from the client 10.0.0.1 behind the nasty dropping box, 
> it will go out through the nasty dropping box and the NAT gateway. NAT 
> will change its 10.x.x.x source and destination from 10.x.x.x to some 
> outside addresses e.g. 150.x.x.x. The DNS answer comes back to NAT, 
> it's source and destination gets translated back to 10.x.x.x and 
> 10.0.0.1 destination, and the google address 216.239.39.99 is within 
> the *data* part. This goes fine through the nasty dropping box back to 
> the client 10.0.0.1. Client then takes the answer from the data part 
> of the message, which is 216.239.39.99 and tries to contact it. It 
> sends an HTTP message to destination 216.239.39.99. This gets dropped 
> on the nasty dropping box since it is not 10.x.x.x (This is what's 
> happening when you type in www.google.com in the browser on the client 
> 10.0.0.1).
> So the DNS request and answer can get through the internal network, 
> but what I need is to somehow replace the 216.239.39.99 that is 
> embedded in the DNS *data* with 10.z.z.z. Also my NAT needs to know 
> that 10.z.z.z is actually 216.239.39.99. to be able to translate it 
> for outside.
>
> Do you still think proxy can help?
>
with a *standard proxy* configured on the browser of client 10.0.0.1 
your request for 216.239.39.99 will be in the payload of the proxy 
request that has the IP address of your proxy machine in the destination 
address field of the network layer ... it should be good for your nasty 
dropping box.
 From there the HTTP request will be managed from your proxy wich will 
answer to your client with a connection completely inside the 10.x.x.x 
network.


bye
<f>