<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, Oct 27, 2016 at 10:02 AM, Rui Santos <span dir="ltr"><<a href="mailto:rsantos@ruisantos.com" target="_blank">rsantos@ruisantos.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
I'm currently using NAT to provide Basic address translation from<br>
private to public IP's.<br>
<br>
However, linux kernel uses both destination IP and Port as part of<br>
it's NAT mapping process. This way (client1 and client2 are on the<br>
same internal network):<br>
- if client1 connects to server1 using source port X, the NAT will be<br>
mapped: client1IP:SourcePortX -> server1IP:SourcePortX;<br>
- if client2 then connects to server2 using source port X, the NAT<br>
will be mapped: client2IP:SourcePortX -> server2IP:SourcePortX.<br>
Basically, SourcePortX is used on both mappings for client1 and client2.<br>
<br>
But, if client2 tries to connect do server1 instead, using the same<br>
source port X, the NAT will be mapped: client2IP:SourcePortX -><br>
server2IP:SourcePortY<br>
SourcePortY will be an available (randomly generated?) ephemeral port.<br>
<br>
My goal is to force this behavior on all outgoing connections. This<br>
way I would get a unique egress port mapping to an internal IP:Port in<br>
a specific point in time:<br>
- if client1 connects to server1 using source port X, the NAT will be<br>
mapped: client1IP:SourcePortX -> server1IP:SourcePortX;<br>
- if client2 then connects to server2 using source port X, the NAT<br>
will be mapped: client2IP:SourcePortX -> server2IP:SourcePortY.<br>
SourcePortY will be an available (randomly generated?) ephemeral port.<br>
<br>
I am aware that this will imply a concurrent NAT connections limit,<br>
equal to the ephemeral port range, per egress IP.<br>
<br>
Is there any way I can accomplish this kind of behaviour?<br></blockquote><div><br></div><div>I believe that you should be asking that on #netfilter maillist.<br></div><div><br></div><div>AFAIK I think it is feaseble to do (perhaps even without programming using netfilter).<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Thanks for all your help,<br>
<span class="HOEnZb"><font color="#888888">--<br>
Rui Santos<br>
Veni, Vidi, Linux<br>
<br>
______________________________<wbr>_________________<br>
Kernelnewbies mailing list<br>
<a href="mailto:Kernelnewbies@kernelnewbies.org">Kernelnewbies@kernelnewbies.<wbr>org</a><br>
<a href="https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies" rel="noreferrer" target="_blank">https://lists.kernelnewbies.<wbr>org/mailman/listinfo/<wbr>kernelnewbies</a><br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Simplicity is the ultimate sophistication<br></div></div>
</div></div>