NAT with unique egress port

Rui Santos rsantos at ruisantos.com
Thu Oct 27 08:02:33 EDT 2016


Hi all,

I'm currently using NAT to provide Basic address translation from
private to public IP's.

However, linux kernel uses both destination IP and Port as part of
it's NAT mapping process. This way (client1 and client2 are on the
same internal network):
- if client1 connects to server1 using source port X, the NAT will be
mapped: client1IP:SourcePortX -> server1IP:SourcePortX;
- if client2 then connects to server2 using source port X, the NAT
will be mapped: client2IP:SourcePortX -> server2IP:SourcePortX.
Basically, SourcePortX is used on both mappings for client1 and client2.

But, if client2 tries to connect do server1 instead, using the same
source port X, the NAT will be mapped: client2IP:SourcePortX ->
server2IP:SourcePortY
SourcePortY will be an available (randomly generated?) ephemeral port.

My goal is to force this behavior on all outgoing connections. This
way I would get a unique egress port mapping to an internal IP:Port in
a specific point in time:
- if client1 connects to server1 using source port X, the NAT will be
mapped: client1IP:SourcePortX -> server1IP:SourcePortX;
- if client2 then connects to server2 using source port X, the NAT
will be mapped: client2IP:SourcePortX -> server2IP:SourcePortY.
SourcePortY will be an available (randomly generated?) ephemeral port.

I am aware that this will imply a concurrent NAT connections limit,
equal to the ephemeral port range, per egress IP.

Is there any way I can accomplish this kind of behaviour?

Thanks for all your help,
-- 
Rui Santos
Veni, Vidi, Linux



More information about the Kernelnewbies mailing list