NAT with unique egress port

Vinicius Tinti viniciustinti at gmail.com
Thu Oct 27 08:18:25 EDT 2016 

On Thu, Oct 27, 2016 at 10:02 AM, Rui Santos <rsantos at ruisantos.com> wrote:

> Hi all,
>
> I'm currently using NAT to provide Basic address translation from
> private to public IP's.
>
> However, linux kernel uses both destination IP and Port as part of
> it's NAT mapping process. This way (client1 and client2 are on the
> same internal network):
> - if client1 connects to server1 using source port X, the NAT will be
> mapped: client1IP:SourcePortX -> server1IP:SourcePortX;
> - if client2 then connects to server2 using source port X, the NAT
> will be mapped: client2IP:SourcePortX -> server2IP:SourcePortX.
> Basically, SourcePortX is used on both mappings for client1 and client2.
>
> But, if client2 tries to connect do server1 instead, using the same
> source port X, the NAT will be mapped: client2IP:SourcePortX ->
> server2IP:SourcePortY
> SourcePortY will be an available (randomly generated?) ephemeral port.
>
> My goal is to force this behavior on all outgoing connections. This
> way I would get a unique egress port mapping to an internal IP:Port in
> a specific point in time:
> - if client1 connects to server1 using source port X, the NAT will be
> mapped: client1IP:SourcePortX -> server1IP:SourcePortX;
> - if client2 then connects to server2 using source port X, the NAT
> will be mapped: client2IP:SourcePortX -> server2IP:SourcePortY.
> SourcePortY will be an available (randomly generated?) ephemeral port.
>
> I am aware that this will imply a concurrent NAT connections limit,
> equal to the ephemeral port range, per egress IP.
>
> Is there any way I can accomplish this kind of behaviour?
>

I believe that you should be asking that on #netfilter maillist.

AFAIK I think it is feaseble to do (perhaps even without programming using
netfilter).


>
> Thanks for all your help,
> --
> Rui Santos
> Veni, Vidi, Linux
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>



-- 
Simplicity is the ultimate sophistication
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20161027/eac0fd42/attachment.html

More information about the Kernelnewbies mailing list