NAT with unique egress port

Rui Santos rsantos at ruisantos.com
Thu Oct 27 08:58:22 EDT 2016


Hi Vinicius,

I will do that.
Thank you!

On Thu, Oct 27, 2016 at 1:18 PM, Vinicius Tinti <viniciustinti at gmail.com> wrote:
> On Thu, Oct 27, 2016 at 10:02 AM, Rui Santos <rsantos at ruisantos.com> wrote:
>>
>> Hi all,
>>
>> I'm currently using NAT to provide Basic address translation from
>> private to public IP's.
>>
>> However, linux kernel uses both destination IP and Port as part of
>> it's NAT mapping process. This way (client1 and client2 are on the
>> same internal network):
>> - if client1 connects to server1 using source port X, the NAT will be
>> mapped: client1IP:SourcePortX -> server1IP:SourcePortX;
>> - if client2 then connects to server2 using source port X, the NAT
>> will be mapped: client2IP:SourcePortX -> server2IP:SourcePortX.
>> Basically, SourcePortX is used on both mappings for client1 and client2.
>>
>> But, if client2 tries to connect do server1 instead, using the same
>> source port X, the NAT will be mapped: client2IP:SourcePortX ->
>> server2IP:SourcePortY
>> SourcePortY will be an available (randomly generated?) ephemeral port.
>>
>> My goal is to force this behavior on all outgoing connections. This
>> way I would get a unique egress port mapping to an internal IP:Port in
>> a specific point in time:
>> - if client1 connects to server1 using source port X, the NAT will be
>> mapped: client1IP:SourcePortX -> server1IP:SourcePortX;
>> - if client2 then connects to server2 using source port X, the NAT
>> will be mapped: client2IP:SourcePortX -> server2IP:SourcePortY.
>> SourcePortY will be an available (randomly generated?) ephemeral port.
>>
>> I am aware that this will imply a concurrent NAT connections limit,
>> equal to the ephemeral port range, per egress IP.
>>
>> Is there any way I can accomplish this kind of behaviour?
>
>
> I believe that you should be asking that on #netfilter maillist.
>
> AFAIK I think it is feaseble to do (perhaps even without programming using
> netfilter).
>
>>
>>
>> Thanks for all your help,
>> --
>> Rui Santos
>> Veni, Vidi, Linux
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
>
>
>
> --
> Simplicity is the ultimate sophistication



-- 
Rui Santos
Veni, Vidi, Linux



More information about the Kernelnewbies mailing list