Router and iptables

**bhupeshchawda** · 03-03-2007

Why do u say that I cannot use the REDIRECT or the DNAT targets in case of a router.
Please explain..

**cyberinstru** · 03-03-2007

Why do u say that I cannot use the REDIRECT or the DNAT targets in case of a router.

I don't mean to say that you cannot do that. But as per ur requirement, you need to decrypt data on the router and then to forward it.

If you use DNAT rule, then you cannot do this processing.

If you strictly want to DNAT/REDIRECT traffic from client to the LAN server and also to do decryption, then you have to queue up the packet (before DNATiing/ REDIRECTing) from kernel space to user space, decrypt it, then put it back in the kernel space.
Kernel will take care of redireting the traffic to ur DB server (since your DNAT rule follows ur QUEUE rule -- iptables (basically a single linear linked list)).

But before getting much more deeply into this, knwo about your DB server. Decide which DB u r going to use. Because, DB, by itself provides all such DB traffic encryption.

**bhupeshchawda** · 03-03-2007

"I want to REDIRECT all the traffic to the ROUTER machine itself"
How does this sound??

Originally Posted by cyberinstru

I don't mean to say that you cannot do that. But as per ur requirement, you need to decrypt data on the router and then to forward it.

If you use DNAT rule, then you cannot do this processing.

If you strictly want to DNAT/REDIRECT traffic from client to the LAN server and also to do decryption, then you have to queue up the packet (before DNATiing/ REDIRECTing) from kernel space to user space, decrypt it, then put it back in the kernel space.
Kernel will take care of redireting the traffic to ur DB server (since your DNAT rule follows ur QUEUE rule -- iptables (basically a single linear linked list)).

But before getting much more deeply into this, knwo about your DB server. Decide which DB u r going to use. Because, DB, by itself provides all such DB traffic encryption.

**bhupeshchawda** · 03-03-2007

Originally Posted by bhupeshchawda

"I want to REDIRECT all the traffic to the ROUTER machine itself"

How does this sound??

When I do this the traffic will not go to the LAN server but will come again to my router machine ... this time with a destination of my router!!

**cyberinstru** · 03-03-2007

I want to REDIRECT all the traffic to the ROUTER machine itself"
How does this sound??

Here REDIRECTion is not at all required

. B'coz, ur router sits on the edge and obviously all the packets come to the router first.

**bhupeshchawda** · 03-03-2007

BUT I dont want to let the packets flow away to the LAN server.
Without the REDIRECT, all packets will come to my router, no doubt BUT they will also flow to the LAN server ... undecrypted! which I don't want.
I will decrypt them at the router and then forward them to the LAN!!

Originally Posted by cyberinstru

Here REDIRECTion is not at all required

. B'coz, ur router sits on the edge and obviously all the packets come to the router first.

**cyberinstru** · 03-03-2007

BUT they will also flow to the LAN server ... undecrypted!

No way. Without a PREROUTING rule, no new packets can reach your LAN machine.

Only packets in RELATED and ESTABLISHED state could reach your LAN machine and obiviously that is initiated from LAN to INTERNET (with a POSTROUTING rule on the router)

**bhupeshchawda** · 03-03-2007

I didn't know this!

Thanx a lot and that solves my problem. But 1 thing I last thing I would like to know is:
"The packets sent by the client will have the destination address of any of the LAN machines. Will the packets sent from the client come to my router even if the router does not forward them to the LAN server automatically??"

Originally Posted by cyberinstru

No way. Without a PREROUTING rule, no new packets can reach your LAN machine.

Only packets in RELATED and ESTABLISHED state could reach your LAN machine and obiviously that is initiated from LAN to INTERNET (with a POSTROUTING rule on the router)

**cyberinstru** · 03-03-2007

the LAN server

Does you LAN server hold a public IP? Your router does NAT, right?

If I am right, in your setup, only ur router holds a public IP and all your LAN machines, including the server hold private IP. So without router doing NAT, no new packets could reach from the outside world to ur LAN.

Please correct me, if I my understanding on ur setup is wrong.

**bhupeshchawda** · 03-03-2007

Originally Posted by cyberinstru

without router doing NAT, no new packets could reach from the outside world to ur LAN.

You have understood my problem very nicely, no doubt.
Here pops up a new problem...
When my router does not do NATing packets do not even reach my router.
And when I do NATing packets go away to the LAN server directly.
Now what to do??
By the way do u have an orkut account. It would be better talking up there.

Thread Tools

Display

Posting Permissions