Re: Performing NAT on a bridge

From: Martin Cooper (usenet_at_martinc.me.uk)
Date: 05/02/03 

Date: Fri, 2 May 2003 21:56:45 +0100

"Kyler Laird" <Kyler@news.Lairds.org> wrote in message
news:74q5o-m7i.ln1@news.lairds.org...
> "Jeff Umbach" <jeff@govnors.com> writes:
>
> >You cannot perform NAT on a bridge because it is a form of routing
and a
> >bridge does not do any routing, it only joins two network segments
in a
> >transparent fashion.
>
> The definition is getting fuzzy these days.
> http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html
>
> --kyler
Hi,
That's an interesting link, I was aware of the existance of ebtables,
but had not actually read up on it. I am using a bridging firewall,
but on kernel 2.4.20, think I'll try one of the development kernels
and see what hapens. I am aware that in normal bridging this will not
work, but if I have the firewall patch, I can filter packets on source
/ destination ip address, port number etc. however, even though the
packets appear to traverse the routing chains within the firewall, any
SNAT and DNAT rules fail to work. I see no reason for this to be the
case, if the firewall can filter based on the source / destination
port and address, it seems that keeping the NAT translation table in
the kernel and performing SNAT and DNAT on one or more IP addresses
should be possible. However, when I use the rules mentioned in my
previous post, my machine effectively loses its internet connection.
The fact that after inserting these rules, the connection breaks means
that the packets must be traversing the routing chains, and something
is clearly happening. Think I'll try joining the bridging list and
see if anyone there has an opinion.

    Thanks for your input,

                Martin

Relevant Pages

  • IPR2 + Netfilter: stateful _routing_ on inbound DNAT, in dual-homed setup?
    ... I'm preparing to upgrade our firewall. ... achieve the same with a single box, steered by two routing tables. ... understanding that Netfilter NAT doesn't mix well with IPR2 NAT, ... I know that Netfilter can do seamless stateful filtering of traffic ...
    (comp.os.linux.networking)
  • RE: [fw-wiz] Dynamic routing on a firewall
    ... do not let firewall participate in routing protocols. ... the security features in the routing protocol, ... A firewall can not really do much more than the security ... Each party is in their own DMZ. ...
    (Firewall-Wizards)
  • Re: Routing problems
    ... >definition of a default gateway, ... local, or reachable through QWorst, and QWorst knows how to distribute ... >central routing point for all clients on the .1 subnet to access any of the ... I mentioned that the firewall has very tight security, ...
    (comp.os.linux.networking)
  • Re: isa nur als proxy, vpn ueber dritte nic
    ... wenn die routing eintraege ... Routing gehört immer professionellen Routingkomponenten überlassen, ... und eine Firewall sollte stets als Firewall eingesetzt werden. ... Network Behind a Network ...
    (microsoft.public.de.german.isaserver)
  • RE: Mapping problem
    ... > I've got annoying issue with Routing and Remote access on one of my win2k3 ... > config and chosen only NAT/basic firewall component. ... > of inbound filtering mean only connections that established from the server ...
    (microsoft.public.windows.server.networking)
Quantcast