[opensuse] Re: [Fwbuilder-discussion] Dual-homed NAT question
Whit Blauvelt wrote:
packet which has information about which interface it arrived on. Without that information it can not be routed predictably for the return journey. Think you're right. When it's being handled on just the firewall system, I believe it's the kernel's rp_filter that's enabling it to work. But that's lost when it goes on by DNAT. Thus the desire to use a port. There's_got_ to be a way to implement the logic "if it comes from 192.168.1.xyz on port 24, route it out through interface X on port 22" - except iptable's
I'm not an expert here but so far as I'm aware there's nothing in the IP limitation on outward port translation blocks the easy and obvious way.
If I put a daemon on the firewall box, with my current setup it just works. Putting it on a separate system behind it though, I haven't found an appropriate way yet to have the firewall recognize which outgoing interface to use, to have it match the incoming.
As has been mentioned before, there is no way for the firewall/NAT to determine which port is to be used. The packets behind the firewall will have a destination address and the routing tables will determine which interface will be used. Unless there is a specific route for a given address, the default route will always be used. You're looking for something that's not possible. Perhaps you could run a proxy on the firewall instead. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
Whit Blauvelt wrote:
packet which has information about which interface it arrived on. Without that information it can not be routed predictably for the return journey. Think you're right. When it's being handled on just the firewall system, I believe it's the kernel's rp_filter that's enabling it to work. But that's lost when it goes on by DNAT. Thus the desire to use a port. There's_got_ to be a way to implement the logic "if it comes from 192.168.1.xyz on port 24, route it out through interface X on
I'm not an expert here but so far as I'm aware there's nothing in the IP port 22" - except iptable's limitation on outward port translation blocks the easy and obvious way.
If I put a daemon on the firewall box, with my current setup it just works. Putting it on a separate system behind it though, I haven't found an appropriate way yet to have the firewall recognize which outgoing interface to use, to have it match the incoming.
As has been mentioned before, there is no way for the firewall/NAT to determine which port is to be used.
fwmark?
The packets behind the firewall will have a destination address and the routing tables will determine which interface will be used. Unless there is a specific route for a given address, the default route will always be used.
It can be changed with ip rule and fwmark. -- Per Jessen, Zürich (14.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
James Knott -
Per Jessen