Hello everybody, I want to solve the following problem with Shorewall: I have a computer with one NIC (eth0) with an internal IP address (10.1.x.x), which is supposed to accept connections from various clients (10.2.x.x) and redirect them to another IP address (10.3.x.x) with a different destination port. For example: The software on the client computer is told to connect to the Shorewall computer at port 10000. The Shorewall computer accepts the connection and does PAT and connects to 10.3.1.1 at port 20000. If the client connects to port 10001, the Shorewall computer should connect to 10.3.1.2 at port 20000 instead. Is this feasable or is there a better way to tackle this? Thanks for any help in advance. Best regards, Albert.
Albert Ulmer wrote:> Hello everybody, > > I want to solve the following problem with Shorewall: > > I have a computer with one NIC (eth0) with an internal IP address > (10.1.x.x), which is supposed to accept connections from various > clients (10.2.x.x) and redirect them to another IP address (10.3.x.x) > with a different destination port. > > For example: > > The software on the client computer is told to connect to the > Shorewall computer at port 10000. The Shorewall computer accepts the > connection and does PAT and connects to 10.3.1.1 at port 20000. If the > client connects to port 10001, the Shorewall computer should connect > to 10.3.1.2 at port 20000 instead. > > > Is this feasable or is there a better way to tackle this? >I''m confused. It is my understanding that PAT alters the SOURCE IP address while you seem to want to redirect packets (you seem to want to alter the DESTINATION IP). Netfilter can''t duplicate the behavior of Cisco''s PAT completely. The closest thing that Netfilter has is the SAME target. I''ve added support for SAME but it is not yet released (it''s in CVS in the Shorewall2/ project). With ''SAME'' and the ''nodst'', behavior will be similar to PAT with the exception that once all external IP addresses have been assigned to internal hosts, wraparound occurs and the external addresses become shared between two or more internal systems. SAME can also be used in place of DNAT in the rules file but it cannot be used to alter the destination port number. So if you can be clearer about exactly what it is you are trying to do, maybe we can find a solution. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Albert Ulmer wrote: >>Hello everybody, >> >>I want to solve the following problem with Shorewall: >> >>I have a computer with one NIC (eth0) with an internal IP address >>(10.1.x.x), which is supposed to accept connections from various >>clients (10.2.x.x) and redirect them to another IP address (10.3.x.x) >>with a different destination port. >> >>For example: >> >>The software on the client computer is told to connect to the >>Shorewall computer at port 10000. The Shorewall computer accepts the >>connection and does PAT and connects to 10.3.1.1 at port 20000. If the >>client connects to port 10001, the Shorewall computer should connect >>to 10.3.1.2 at port 20000 instead. >> >> >>Is this feasable or is there a better way to tackle this? >> > > I''m confused. It is my understanding that PAT alters the SOURCE IP > address while you seem to want to redirect packets (you seem to want to > alter the DESTINATION IP). > > Netfilter can''t duplicate the behavior of Cisco''s PAT completely. The > closest thing that Netfilter has is the SAME target. I''ve added support > for SAME but it is not yet released (it''s in CVS in the Shorewall2/ > project). With ''SAME'' and the ''nodst'', behavior will be similar to PAT > with the exception that once all external IP addresses have been > assigned to internal hosts, wraparound occurs and the external addresses > become shared between two or more internal systems. > > SAME can also be used in place of DNAT in the rules file but it cannot > be used to alter the destination port number. > > So if you can be clearer about exactly what it is you are trying to do, > maybe we can find a solution. >Let me take a stab at this though. It may be that all you want is plain old DNAT. The following two rules will accomplish what you describe above _and only what you describe_: DNAT loc z:10.3.1.1:20000 tcp 10000 - 10.3.x.x DNAT loc z:10.3.1.2:20000 tcp 10001 - 10.3.x.x Here ''z'' is the zone for 10.3.1.0/24. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Tom Eastep wrote: >>Albert Ulmer wrote: >>>Hello everybody, >>> >>>I want to solve the following problem with Shorewall: >>> >>>I have a computer with one NIC (eth0) with an internal IP address >>>(10.1.x.x), which is supposed to accept connections from various >>>clients (10.2.x.x) and redirect them to another IP address (10.3.x.x) >>>with a different destination port. >>> >>>For example: >>> >>>The software on the client computer is told to connect to the >>>Shorewall computer at port 10000. The Shorewall computer accepts the >>>connection and does PAT and connects to 10.3.1.1 at port 20000. If the >>>client connects to port 10001, the Shorewall computer should connect >>>to 10.3.1.2 at port 20000 instead. >>> >>> >>>Is this feasable or is there a better way to tackle this? >>> >>I''m confused. It is my understanding that PAT alters the SOURCE IP >>address while you seem to want to redirect packets (you seem to want to >>alter the DESTINATION IP). >> >>Netfilter can''t duplicate the behavior of Cisco''s PAT completely. The >>closest thing that Netfilter has is the SAME target. I''ve added support >>for SAME but it is not yet released (it''s in CVS in the Shorewall2/ >>project). With ''SAME'' and the ''nodst'', behavior will be similar to PAT >>with the exception that once all external IP addresses have been >>assigned to internal hosts, wraparound occurs and the external addresses >>become shared between two or more internal systems. >> >>SAME can also be used in place of DNAT in the rules file but it cannot >>be used to alter the destination port number. >> >>So if you can be clearer about exactly what it is you are trying to do, >>maybe we can find a solution. >> > > Let me take a stab at this though. It may be that all you want is plain > old DNAT. The following two rules will accomplish what you describe > above _and only what you describe_: > > DNAT loc z:10.3.1.1:20000 tcp 10000 - 10.3.x.x > DNAT loc z:10.3.1.2:20000 tcp 10001 - 10.3.x.x >Sorry -- should have been: DNAT loc z:10.3.1.1:20000 tcp 10000 - 10.1.x.x DNAT loc z:10.3.1.2:20000 tcp 10001 - 10.1.x.x -------- -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On 4/21/05, Tom Eastep <teastep@shorewall.net> wrote:> Albert Ulmer wrote: > > Hello everybody, > > > > I want to solve the following problem with Shorewall: > > > > I have a computer with one NIC (eth0) with an internal IP address > > (10.1.x.x), which is supposed to accept connections from various > > clients (10.2.x.x) and redirect them to another IP address (10.3.x.x) > > with a different destination port. > > > > For example: > > > > The software on the client computer is told to connect to the > > Shorewall computer at port 10000. The Shorewall computer accepts the > > connection and does PAT and connects to 10.3.1.1 at port 20000. If the > > client connects to port 10001, the Shorewall computer should connect > > to 10.3.1.2 at port 20000 instead. > > > > > > Is this feasable or is there a better way to tackle this? > > > > I''m confused. It is my understanding that PAT alters the SOURCE IP > address while you seem to want to redirect packets (you seem to want to > alter the DESTINATION IP). > > Netfilter can''t duplicate the behavior of Cisco''s PAT completely. The > closest thing that Netfilter has is the SAME target. I''ve added support > for SAME but it is not yet released (it''s in CVS in the Shorewall2/ > project). With ''SAME'' and the ''nodst'', behavior will be similar to PAT > with the exception that once all external IP addresses have been > assigned to internal hosts, wraparound occurs and the external addresses > become shared between two or more internal systems. > > SAME can also be used in place of DNAT in the rules file but it cannot > be used to alter the destination port number. > > So if you can be clearer about exactly what it is you are trying to do, > maybe we can find a solution.Thanks for the effort everybody, but I found it to be more straightforward to implement it using the "redir" package that comes with Debian. Best regards, Albert.