Feature: Using just one port|
Allan Latham <alatham,AT,flexsys-group,DOT,com>|
Tue, 17 Jun 2003 16:03:55 +0200|
I am a long standing user of cipe and I repeat my thanks to Olaf and all the
rest of you who made it happen. It is in constant use between several of our
sites and is completely support free.
However: I may have to deal with the following scenario.
A firm has its own network behind a firewall (with a fixed IP) which blocks
just about everything. There is a need for a number of cipe point-to-point
links but that number cannot be determined in advance. The links will be from
various remot out-stations (which have direct internet access with dynamic
IP) to just one machine on the firm's network.
The network admin can open one udp port on the firewall and send all traffic
on that port to the machine running cipe. It will not be possible to request
either a range of a hundred ports nor to request ports on an ad-hoc basis as
and when required - the approval process is too long.
Outgoing udp traffic from the cipe box can be enabled irrespective of source
or destination port. The firewall will NAT the IP address on the way out.
Now here is my solution - and I would like to know if anyone knows of an
1. All remote stations will be setup to listen on a udp port just as now.
2. No two remote stations will use the same listen port.
3. All remote stations will send udp packets to the same IP and port.(i.e the
real IP of the firewall and whatever port has been forwarded to the cipe
4. On the cipe box on the firms network the cipe configuration will be such
that each interface listens on localhost on the same udp port as the remote
server is listening on.
5. On the cipe box I will run a proxy udp server which looks at the incoming
udp packets and forwards them to the udp port on localhost that is the same
as the source udp port in the original packet.
cipe config files:
Remote 1 (cipcb0)
Remote 2 (cipcb0)
Remote 3 (cipcb0)
Server is on IP 10.0.0.1 behind the NAT firewall. So aaa.bbb.ccc.ddd:5100
forwarded to 10.0.0.1:5100
Server 1 (cipcb1)
Server 2 (cipcb2)
Server 3 (cipcb3)
Example proxy action (proxy listens on 10.0.0.1:5100)
i/c packet: source port 5102, dest port 5100, source ip ppp.qqq.rrr.sss, dest
this gets changed to source port 5102, dest port 5102, source ip
ppp.qqq.rrr.sss, dest ip 127.0.0.1
I doubt if I can do this at normal udp socket level but it will probably work
by intercepting the packets with iptables.
Any comments anyone. Perhaps there's a really easy way to do this already and
I just skipped over it.
Best regards to everyone