Find the answer to your Linux question:
Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 11 to 20 of 23
Why do u say that I cannot use the REDIRECT or the DNAT targets in case of a router. Please explain.....
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Just Joined!
    Join Date
    Feb 2007
    Posts
    34

    Why do u say that I cannot use the REDIRECT or the DNAT targets in case of a router.
    Please explain..

  2. #12
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    Why do u say that I cannot use the REDIRECT or the DNAT targets in case of a router.
    I don't mean to say that you cannot do that. But as per ur requirement, you need to decrypt data on the router and then to forward it.

    If you use DNAT rule, then you cannot do this processing.

    If you strictly want to DNAT/REDIRECT traffic from client to the LAN server and also to do decryption, then you have to queue up the packet (before DNATiing/ REDIRECTing) from kernel space to user space, decrypt it, then put it back in the kernel space.
    Kernel will take care of redireting the traffic to ur DB server (since your DNAT rule follows ur QUEUE rule -- iptables (basically a single linear linked list)).

    But before getting much more deeply into this, knwo about your DB server. Decide which DB u r going to use. Because, DB, by itself provides all such DB traffic encryption.
    ---------------------------------
    Registered Linux User #440311
    HI2ARUN _AT_ GMAIL _DOT_ COM
    ---------------------------------

  3. #13
    Just Joined!
    Join Date
    Feb 2007
    Posts
    34

    Cool

    "I want to REDIRECT all the traffic to the ROUTER machine itself"
    How does this sound??

    Quote Originally Posted by cyberinstru
    I don't mean to say that you cannot do that. But as per ur requirement, you need to decrypt data on the router and then to forward it.

    If you use DNAT rule, then you cannot do this processing.

    If you strictly want to DNAT/REDIRECT traffic from client to the LAN server and also to do decryption, then you have to queue up the packet (before DNATiing/ REDIRECTing) from kernel space to user space, decrypt it, then put it back in the kernel space.
    Kernel will take care of redireting the traffic to ur DB server (since your DNAT rule follows ur QUEUE rule -- iptables (basically a single linear linked list)).

    But before getting much more deeply into this, knwo about your DB server. Decide which DB u r going to use. Because, DB, by itself provides all such DB traffic encryption.

  4. #14
    Just Joined!
    Join Date
    Feb 2007
    Posts
    34
    Quote Originally Posted by bhupeshchawda
    "I want to REDIRECT all the traffic to the ROUTER machine itself"

    How does this sound??
    When I do this the traffic will not go to the LAN server but will come again to my router machine ... this time with a destination of my router!!

  5. #15
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    I want to REDIRECT all the traffic to the ROUTER machine itself"
    How does this sound??
    Here REDIRECTion is not at all required . B'coz, ur router sits on the edge and obviously all the packets come to the router first.
    ---------------------------------
    Registered Linux User #440311
    HI2ARUN _AT_ GMAIL _DOT_ COM
    ---------------------------------

  6. #16
    Just Joined!
    Join Date
    Feb 2007
    Posts
    34
    BUT I dont want to let the packets flow away to the LAN server.
    Without the REDIRECT, all packets will come to my router, no doubt BUT they will also flow to the LAN server ... undecrypted! which I don't want.
    I will decrypt them at the router and then forward them to the LAN!!


    Quote Originally Posted by cyberinstru
    Here REDIRECTion is not at all required . B'coz, ur router sits on the edge and obviously all the packets come to the router first.

  7. #17
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    BUT they will also flow to the LAN server ... undecrypted!
    No way. Without a PREROUTING rule, no new packets can reach your LAN machine.

    Only packets in RELATED and ESTABLISHED state could reach your LAN machine and obiviously that is initiated from LAN to INTERNET (with a POSTROUTING rule on the router)
    ---------------------------------
    Registered Linux User #440311
    HI2ARUN _AT_ GMAIL _DOT_ COM
    ---------------------------------

  8. #18
    Just Joined!
    Join Date
    Feb 2007
    Posts
    34
    I didn't know this! Thanx a lot and that solves my problem. But 1 thing I last thing I would like to know is:
    "The packets sent by the client will have the destination address of any of the LAN machines. Will the packets sent from the client come to my router even if the router does not forward them to the LAN server automatically??"

    Quote Originally Posted by cyberinstru
    No way. Without a PREROUTING rule, no new packets can reach your LAN machine.

    Only packets in RELATED and ESTABLISHED state could reach your LAN machine and obiviously that is initiated from LAN to INTERNET (with a POSTROUTING rule on the router)

  9. #19
    Linux User cyberinstru's Avatar
    Join Date
    Jan 2007
    Location
    India
    Posts
    362
    the LAN server
    Does you LAN server hold a public IP? Your router does NAT, right?

    If I am right, in your setup, only ur router holds a public IP and all your LAN machines, including the server hold private IP. So without router doing NAT, no new packets could reach from the outside world to ur LAN.

    Please correct me, if I my understanding on ur setup is wrong.
    ---------------------------------
    Registered Linux User #440311
    HI2ARUN _AT_ GMAIL _DOT_ COM
    ---------------------------------

  10. #20
    Just Joined!
    Join Date
    Feb 2007
    Posts
    34
    Quote Originally Posted by cyberinstru
    without router doing NAT, no new packets could reach from the outside world to ur LAN.
    You have understood my problem very nicely, no doubt.
    Here pops up a new problem...
    When my router does not do NATing packets do not even reach my router.
    And when I do NATing packets go away to the LAN server directly.
    Now what to do??
    By the way do u have an orkut account. It would be better talking up there.

Page 2 of 3 FirstFirst 1 2 3 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •