|
List Info
Thread: Layer (5,6,7) based NAT
|
|
| Layer (5,6,7) based NAT |
 
United States |
2007-04-29 08:42:23 |
I am wondering weather this is possible. I have one port and
one public IP
address lets say:
34.123.22.33:5615
If I connect using SSH I want to DNAT to port 22, if I
connect using SSL I
want to DNAT to port 443, if I connect using HTTP I want to
DNAT to port
80.
If this kind of upper layer protocol determination possible?
If so, is
netfiter the application to do it?
|
|
| Re: Layer (5,6,7) based NAT |
United States |
2007-04-29 11:33:59 |
Adam
I was looking at this to solve another problem, but it may
help you
solve yours?
http://l7-filter.so
urceforge.net/
Kirk
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Sun, 2007-04-29 at 07:42 -0600, Adam wrote:
> I am wondering weather this is possible. I have one
port and one public IP
> address lets say:
>
> 34.123.22.33:5615
>
> If I connect using SSH I want to DNAT to port 22, if I
connect using SSL I
> want to DNAT to port 443, if I connect using HTTP I
want to DNAT to port
> 80.
>
> If this kind of upper layer protocol determination
possible? If so, is
> netfiter the application to do it?
>
>
>
>
|
|
| Re: Layer (5,6,7) based NAT |
 
Netherlands |
2007-04-29 11:50:17 |
Adam wrote:
> I am wondering weather this is possible. I have one
port and one public IP
> address lets say:
>
> 34.123.22.33:5615
>
> If I connect using SSH I want to DNAT to port 22, if I
connect using SSL I
> want to DNAT to port 443, if I connect using HTTP I
want to DNAT to port
> 80.
>
> If this kind of upper layer protocol determination
possible? If so, is
> netfiter the application to do it?
>
No, this is not (easily) possible, and certainly not with
iptables. The
reason is that you need a complete three way handshake
before data
starts flowing and you can determine what protocol is
spoken. However,
NAT must act at all packets, from the first. Besides, if you
could start
NATting at a certain point, the recipient would not see the
three way
handshake, so you cannot connect to your final destination.
Your only hope is some kind of proxy. And if you find it,
please let me
know, I would be very interested as well.
HTH,
M4
|
|
| Re: Layer (5,6,7) based NAT |
 
Germany |
2007-04-29 12:19:52 |
On Apr 29 2007 18:50, Martijn Lievaart wrote:
> Adam wrote:
>> I am wondering weather this is possible. I have one
port and one public IP
>> address lets say:
>>
>> 34.123.22.33:5615
>>
>> If I connect using SSH I want to DNAT to port 22,
if I connect using SSL I
>> want to DNAT to port 443, if I connect using HTTP I
want to DNAT to port
>> 80.
>>
>> If this kind of upper layer protocol determination
possible? If so, is
>> netfiter the application to do it?
>>
>
> No, this is not (easily) possible, and certainly not
with iptables. The reason
> is that you need a complete three way handshake before
data starts flowing and
> you can determine what protocol is spoken. However, NAT
must act at all
> packets, from the first. Besides, if you could start
NATting at a certain
> point, the recipient would not see the three way
handshake, so you cannot
> connect to your final destination.
>
> Your only hope is some kind of proxy. And if you find
it, please let me know,
> I would be very interested as well.
rinetd
Jan
--
|
|
| Re: Layer (5,6,7) based NAT |
Germany |
2007-04-29 12:20:29 |
On Apr 29 2007 19:19, Jan Engelhardt wrote:
>>
>> Your only hope is some kind of proxy. And if you
find it, please let me know,
>> I would be very interested as well.
>
>rinetd
...with tproxy extension (that patch does not exist at this
time, though.)
Jan
--
|
|
[1-5]
|
|