The company I work for has come up with a strange requirement that we
would like to find out if it can be done with IPTables/Netfilter.
Let's say we have two networks that we wish to connect over a private
connection (all non-routable address space). On what we will call the
"primary" network we have address space: 10.0.0.0/8. On what we will
call the "secondary" network, we also have address space 10.0.0.0/8. We
need to plug the two together, knowing that we will not overlap address
space. On the "primary" network, we know we can assign 10.1.1.0/24 to
the "secondary" network and not have conflicting address space. So we
will put a Linux IPTables firewall between the "secondary" and "primary"
networks, and NAT the "secondary" network to address space 10.1.1.0/24.
This is fairly common stuff and AFAICT IPtables can do this with a line
something like this (assuming eth1 is the iface facing the "primary"
network):
iptables -t nat -A POSTROUTING -o eth1 -s 10.0.0.0/8 \
-j SNAT --to-source 10.1.1.1-10.1.1.253
However, here's where things get weird. We would like to have the NAT
mappings be bidirectional and dynamic. In other words, when 10.0.0.1
from the "secondary" network gets SNATed to 10.1.1.1, we would like
connections from the "primary" network to be able to be made to 10.1.1.1
and get DNATed back to 10.0.0.1 on the "secondary" network.
So when 10.0.0.1 gets SNAT'd to 10.1.1.1, it would be nice to have a
rule _dynamically_ created like this one:
iptables -t nat -A PREROUTING -i eth1 -d 10.1.1.1 \
-j DNAT --to-dest 10.0.0.1
We have no problem with these dynamically created rules being LRU
recycled. Presumably at any given time, despite the fact we have a /8
on the "secondary" network, there should never be more than /24 number
of hosts attempting to make connections through the NAT gateway to the
"primary" network.
We could just make a bunch of static maps, except that at any given
time, we don't actually know *which* hosts might be trying to make
outbound connections. So we need to assign those addresses dynamically.
I'm suspecting that this might actually require some kind of NATd
running to dynamically create and destroy NAT mappings rather than
allowing the Netfilter stuff to do it itself.
Does anyone have any ideas? Has anyone done this sort of thing
already? Am I just missing something in the way IPtables/Netfilter
works that makes this easy?
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/usr/bin/perl -w
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map
{$_%16or$t^=$c^=($m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;
$t^=(72,@z=(64,72,$a^=12*($_%16-2?0:$m&17)),$b^=$_%64?12:0,@z)
[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h=5;$_=unxb24,join
"",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$d=
unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d
>>12^$d>>4^$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*
8^$q<<6))<<9,$_=$t[$_]^(($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}
print+x"C*",@a}';s/x/pack+/g;eval
usage: qrpff 153 2 8 105 225 < /mnt/dvd/VOB_FILENAME \
| extract_mpeg2 | mpeg2dec -
http://www.cs.cmu.edu/~dst/DeCSS/Gallery/
http://www.eff.org/ http://www.anti-dmca.org/
