NAT

To: debian-firewall@lists.debian.org
Subject: NAT
From: Ivan Shmakov <oneingray@gmail.com>
Date: Wed, 12 Aug 2009 06:54:06 +0700
Message-id: <8763ct52ld.fsf_-_@violet.siamics.int>
References: <87ocqn6a95.fsf@violet.siamics.int> <87fxbz56b7.fsf@violet.siamics.int> <d1b732a70908102133x2ee99743j3a9dece7a200ad18@mail.gmail.com> <87bpmm6hs9.fsf@violet.siamics.int> <4A8179EE.306@plouf.fr.eu.org> <87tz0e4dzt.fsf@violet.siamics.int> <4A819450.9080105@plouf.fr.eu.org> <87ljlq497r.fsf@violet.siamics.int> <4A81D57D.7060204@plouf.fr.eu.org>

>>>>> Pascal Hambourg <pascal.mail@plouf.fr.eu.org> writes:
>>>>> Ivan Shmakov a écrit :

[...]

 > Another example is when an interface gets a dynamic address and you
 > want to create a DNAT rule that matches only on that address :

 > iptables -t nat -A PREROUTING -d $PPP_LOCAL -p tcp --dport <port> \
 >     -j DNAT --to <server>:<port>

 > You cannot do that with a static ruleset.

	I'm not quite sure I'd like to do it with NAT, either.  Not
	that there's a lot of choice in this particular case.

	Going slightly off-topic here, about half a year ago I had a
	problem which I initially solved with DNAT.  The problem was to
	assign all of the hosts connected to one ``physical'' network
	the IPs ``belonging'' to the other:

    Network #1  |  10.x.y.R   | Network #2
    10.x.y.z/23 +-- My host --+ any IP network possible here
    (Ethernet)  |             | (uml_switch)
                              |
	                      +-- Host #1, 10.x.y.Z+1
	                      +-- Host #1, 10.x.y.Z+2
	                      |   ...
	                      +-- Host #1, 10.x.y.Z+n

	... Subject to the following constraints:

	* no hosts connected to the network to the left on the figure do
	  know that 10.x.y.R is actually a router;

	* the range to be assigned, 10.x.y.Z+1 .. 10.x.y.Z+n, is not
	  that of any subnet.

	Somehow, I thought that DNAT will solve the problem the most
	straightforward way.  I was wrong, it was proxy_arp that made
	the day.  (Yes, one may use a bridge, too, but since it wasn't a
	requirement to allow for the traffic other than ARP and IP to
	pass through, I've decided to spare it.)

	Anyway, IPv4 seems to die slowly.  The Internet Service Provider
	I connect through from home, for example, offers a
	gray-IP-plus-NAT access, which is barely the /Internet/ access
	(should I call it ``WWW access'' instead? oh no, they have
	BitTorrent in their advertisements, too) I need (no transport
	level protocols other than TCP and UDP, thus, e. g., no PPTP,
	though I'm not sure whether it's a drawback, no chance of ever
	setting up a globally-accessible server or a SIP-based VoIP, no
	6to4, nor even Teredo without a relay, add to it that this
	particular NAT forgets about the connections after a few seconds
	of no activity, etc.)

	Fortunately, IPv6 has no NAT.

-- 
FSF associate member #7257

Reply to:

Follow-Ups:
- Re: NAT
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

References:
- /etc/init.d/iptables
  - From: Ivan Shmakov <oneingray@gmail.com>
- Re: /etc/init.d/iptables
  - From: Ivan Shmakov <oneingray@gmail.com>
- Re: /etc/init.d/iptables
  - From: Jonathan Yu <jonathan.i.yu@gmail.com>
- Re: /etc/init.d/iptables
  - From: Ivan Shmakov <oneingray@gmail.com>
- Re: /etc/init.d/iptables
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
- Re: /etc/init.d/iptables
  - From: Ivan Shmakov <oneingray@gmail.com>
- Re: /etc/init.d/iptables
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
- Re: /etc/init.d/iptables
  - From: Ivan Shmakov <oneingray@gmail.com>
- Re: /etc/init.d/iptables
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

Prev by Date: Re: /etc/init.d/iptables
Next by Date: Re: NAT
Previous by thread: Re: /etc/init.d/iptables
Next by thread: Re: NAT
Index(es):
- Date
- Thread