Firewall Wizards mailing list archives

Re: NAT

From: Bennett Todd <bet () rahul net>
Date: Thu, 27 Apr 2000 17:02:49 -0400

2000-04-26-17:10:16 Paul D. Robertson:

On 24 Mar 2000, Alexandre A. Rodioukov wrote:

What i wanted to do is for outsiders to be able to access some
machines/services inside the network via real-IPs (machines by
themselves are assigned fake addresses).


I'm sure this is doable with Linux with some masquerading for the
internal to external connections and Masquerading or redirection
for the external to internal ones.


With ipfwadm (2.0.x kernels) and ipchains (2.2.x kernels), no, you can
only do Masquerading, not static NAT; there's no way to tell the
kernel to listen for connections on a particular ipaddr:port and
route them to a masqueraded machine. With netfilter (late 2.3.x
kernels, will be in 2.4 when it comes out) you can do this.

You could also proxy the connections and/or use a transport layer
tunnel like plug-gw and udprelay.


With current production Linux kernels that's the only way to tunnel
traffic back in to Masqueraded servers, and it works fine. There are
a _load_ of port-level proxies available. I recently did a skim of
the ones turned up by some searching on freshmeat, and produced a
little summary, which I append after my .sig.

-Bennett

Summary of various proxies from freshmeat, for the purpose of
simulating the effect of static NAT to reach masqueraded machines
behind a Linux ipchains firewall. These were all found on freshmeat.

aproxy is a port-forwarding proxy daemon written entirely in perl,
        and does not currently have support for binding to a
        specific interface. Also has a remote-admin network service
        it offers, where you can telnet to a configurable port and
        issue simple commands to reconfigure it. Ick.

delegate supports restricting the interface to bind to. It supports
        an almost infinite number of other things, too. It can do
        this job. It can do so much more that I'm not wildly fond
        of it, I'd rather see its functionality decomposed into an
        assortment of toolkits.

portfwd can bind to specific addresses. It seems to have a fairly
        elegant little config language, and yet it's as best I can
        tell just and solely a port forwarder. This one is a
        candidate, definitely.

proxy seems even simpler than portfwd, and can also specify a source
        port to bind to. Another candidate.

simpleproxy likewise looks like it'd do the job, and not obnoxiously
        much more.

tcpgate is too simple, doesn't allow specification of src addr to
        bind to. If there weren't already so many lovely
        alternatives, though, and we needed to code something to
        solve this problem, I might be tempted to start hacking on
        this one in preference to the others, because it's _so_
        small, and already has some appealing internal structure
        (separate networking library).

tcpproxy looks like another good choice.

tcpxd would have some appeal, since it's nearly nothing ---
        virtually all the distribution is GNU autoconf overhead, the
        actual program is teensy. No docs, even. But it's pretty
        clear from the help in the code that it doesn't support
        binding to a source addr. This would be another very
        attractive candidate for hacking on.

tinyproxy is a small and simple http-only proxy, with buffering and
        asynch dns resolver (using the GNU adns lib).

Attachment: _bin
Description:

Current thread:

NAT Alexandre A. Rodioukov (Apr 10)
- <Possible follow-ups>
- NAT Alexandre A. Rodioukov (Apr 10)
- RE: NAT sean . kelly (Apr 18)
- Re: NAT Paul D. Robertson (Apr 27)
  - Re: NAT Bennett Todd (Apr 28)
- Re: NAT carl (Apr 27)