NAT and Routing question

From: Emre Bastuz (info_at_emre.de)
Date: 04/15/04

  • Next message: Listar: "Listar command results: -- Binary/unsupported file stripped by Listar --" 
    Date: Thu, 15 Apr 2004 14:45:46 +0200
To: freebsd-isp@FreeBSD.ORG

    Hi,

    it seems I´m stuck here due to a NAT/Routing issue.

    For building a forced proxy I am trying to do the following:

    PC -> [Interface A -> redirect to 127.0.0.1, port 80 -> Interface B (default
    gateway)] -> PC

    1. User on PC opens browser to connect to an arbitrary site
    2. the request enters the proxy machine on interface "A"
    3. an ipf/ipnat redirection rule "rdr InterfaceA 0/0 port 80 -> 127.0.0.1/32
    port 80 tcp" does the redirection
    4. the local Apache picks the appropriate page
    5. the translation/redirection from 3 is being reversed
    6. the answer is sent out on interface "B" with the original source address and
       the original destination address but with the payload from the proxy

    Everything works up to point 4 - but the answer never reaches the requesting
    PC. It seems that the NAT can not be reverted when the answers are being sent
    out on a different interface then they arrived on. Seems the state is not only
    being kept in terms of source ip:source port/destination ip:destination port
    but also interface wise.

    Might this be the reason?

    If I enter a hostroute to send the answer to the requets out to InterfaceA
    instead of InterfaceB, everything works. The point is, I do not want to enter
    routes back to the "PC´s" as this would be time consuming. I´d prefer having
    everything sent out on the default gateway.

    Any help/hint will be appreciated.

    TIA,

    Emre 

    --
I don't see why some people even HAVE cars. -- Calvin
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
  • Next message: Listar: "Listar command results: -- Binary/unsupported file stripped by Listar --"

    Relevant Pages

    • Re: Internet Access problems in Fedora Core 4
      ... using the raw ip was to factor out DNS from the troubleshooting. ... set right or your card's interface isn't setup right. ... nameserver <proxy if proxy does dns to you or isp's dns> ... PING 64.233.179.99 56bytes of data. ...
      (comp.os.linux.misc)
    • Re: Should proxy have one interface or two
      ... Dual firewall will help you grant access to public resource/client and limit ... Vérificateur interne en sécurité de l'information ... A Proxy is a device that takes a connexion, filters it and sends it to the ... That's why you have 2 interface, to prevent the bypassing of the proxy, to ...
      (Security-Basics)
    • Re: UML Question (Object <-> ObjectFinder?)
      ... just delegates all method calls to the proxy, ... I could even use an interface here. ... It dispatches to UserFinder.findUserByName, which, in turn, creates the right command string and invokes Proxy.doIt. ... The findUserByName subsystem interface method could form the command string and invoke Proxy.doIt directly. ...
      (comp.object)
    • Re: How to do non dependence on database vendor?
      ... >>> You could actually get away with only a single proxy if you use ... >> The interface approach seems more scalable and contained. ... >>> layer, focusing on storing and retrieval of the explicit data, but free ... >>> the future want to make use of another DB than those supporting SQL. ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: Design Pattern Question
      ... but Proxy is pretty much designed for restricted or selective access. ... interfaces for Employee that only provide X, X+Y, or Z access. ... one "hard-wires" the appropriate interface for each client. ... I would like to explore this design further. ...
      (comp.object)