Re: sample/proxy.c

Fri, 19 May 2006 00:41:18 -0700 


SunOS softrouter 5.10 Generic_118844-28 i86pc i386 i86pc
ip_fil4.1.10
pfil-2.1.7

> box]A-----B[gateway]C----D[dest
>
> A = 210.my.ext.IP
> B = 172.20.11.254
> C = ???
> D = 210.172.133.140


box]A-----B[gateway]C----D[dest

A = 210.my.ext.IP
B = 210.172.133.140
C = 172.20.11.254
D = Either on 210.172.133.140/172.20.11.254 server
  OR any of the internal cluster boxes (172.20.11.5 - 172.20.11.15)
The idea was to get A -> D (using RDR round robin) without losing the original IP "A". (but adding SSL->plain translation later) I was given the impression that sample/proxy.c will interject a TCP session, fiddle with the NAT table so that "A" is retained. 

I changed proxy.c to dump all three addresses:

(From A to B:7100)
# telnet 210.172.133.140 7100
Escape character is '^]'.
local IP# to use: 210.172.133.140  (B)
local port# to use: 60058
in   IP is: 172.20.11.254          (C)
out  IP is: 210.my.ext.IP          (A)
real IP is: 210.172.133.140        (B)
remote end for connection: 210.172.133.140,7100  (B)
OK Hello 210.172.133.140:60058 - you are connected to 210.172.133.140:7100
(B) and (B)

Now, ipnat -l shows me the RDR rule used to send the connection to "port 1".
RDR 172.20.11.254   1     <- -> 210.172.133.140 7100  [210.my.ext.IP 60429]
It looks to me like sample/proxy.c then adds a NAT rule to use, but this does not appear in "ipnat -l". But I am not getting the "perrors" triggered either. Presumably this is the bit of magic that make my end program see "A" in getpeername(), but that isn't coming through. 





Darren Reed wrote:

"rdr e1000g0 0.0.0.0/0 port 7100 -> 172.20.11.254 port 1 tcp"


..


If I telnet directly to 7100 (by disabling RDR):

# telnet 210.172.133.140 7100
OK Hello 210.my.ext.IP:62282 - you are connected to 210.172.133.140:7100

If I connect from an external host, with RDR back in:
# telnet 210.172.133.140 7100
local IP# to use: 210.172.133.140
local port# to use: 39431
remote end for connection: 210.172.133.140,7100
OK Hello 210.172.133.140:39431 - you are connected to 210.172.133.140:7100

The only "ipnat -l" entry I get during that time is:

RDR 172.20.11.254   1     <- -> 210.172.133.140 7100  [210.my.ext.IP 62292]



Something seems wrong here.

For this to work, you should have:

box]A-----B[gateway]C----D[dest

A = 210.my.ext.IP
B = 172.20.11.254
C = ???
D = 210.172.133.140

To me it appears that "C" is 210.172.133.140.  If that is the case,
this is not going to work how you expect.

What does "netstat -a" show ?
This is IPFilter...v-what? 
Darren




--
Jorgen Lundman       | <[EMAIL PROTECTED]>
Unix Administrator   | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo    | +81 (0)90-5578-8500          (cell)
Japan                | +81 (0)3 -3375-1767          (home)

Reply via email to