On Sun, Apr 08, 2012 at 05:10:19PM -0700, Aaron Clausen wrote:
> I'm trying to sort out how to do NAT reflection off the public
> interface where that interface's IP address is supplied via DHCP
> from the ISP. Any thoughts?
I would guess that by "NAT reflection", you mean that you think you
want to NAT internal clients to an internal host for various requests
of your external name. This only makes sense if you are using some
kind of dynamic DNS service to give you an "external name".
"NAT reflection" is not really a standard term. A clueless but more
common term for the same thing (this term being employed in some
consumer-grade router devices) is "loopback NAT". That term is
clueless because "loopback" is indeed a standard networking term, and
"loopback NAT" has nothing to do with loopback interfaces.
All that said: the best idea is to handle this in DNS. You run your
own nameserver for internal hosts, and give them the internal IP
address when they query for the external name. I highly recommend
dnsmasq(8) for this job; it is provided by most common GNU/Linux
distros.
http://thekelleys.org.uk/dnsmasq/doc.html
An advantage to this approach over "NAT reflection" is that your
logging contains useful information. With "NAT reflection", all
connections to the external name from internal hosts would show as
coming from the router.
The only drawback isn't really a drawback, and that is that for any
given external name, you can only resolve it to one [set of] internal
IP address[es]. With NAT you can have HTTP on 10.0.0.80, FTP on
10.0.0.21, IMAP on 10.0.0.143, et c. Solution: use different names
for different services. If it costs you anything to add more names,
you need a better DNS provider.
Your answer to the original question requires an understanding of
source and destination NAT. A graphical representation of the issue
of same-subnet NAT can be seen here:
http://jengelh.medozas.de/images/dnat-mistake.png
A detailed explanation of the matter is here:
http://www.frozentux.net/iptables-tutorial/chunkyhtml/x4033.html
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]
[Linux Kernel Networking Development]
[Linux Networking Development]
[Linux Kernel Development]
[Linux Resources]
[LARTC]
[Bugtraq]
[Consulting]
[Free Internet Dating]
[Yosemite Forum]
[Photo]
