<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: cipe-l,AT,inka,DOT,de
Subject: Feature: Using just one port
From: Allan Latham <alatham,AT,flexsys-group,DOT,com>
Date: Tue, 17 Jun 2003 16:03:55 +0200

Hi everyone

I am a long standing user of cipe and I repeat my thanks to Olaf and all the 
rest of you who made it happen. It is in constant use between several of our 
sites and is completely support free.

However: I may have to deal with the following scenario.

A firm has its own network behind a firewall (with a fixed IP) which blocks 
just about everything. There is a need for a number of cipe point-to-point 
links but that number cannot be determined in advance. The links will be from 
various remot out-stations (which have direct internet access with dynamic 
IP) to just one machine on the firm's network.

The network admin can open one udp port on the firewall and send all traffic 
on that port to the machine running cipe. It will not be possible to request 
either a range of a hundred ports nor to request ports on an ad-hoc basis as 
and when required - the approval process is too long.

Outgoing udp traffic from the cipe box can be enabled irrespective of source 
or destination port. The firewall will NAT the IP address on the way out.

Now here is my solution - and I would like to know if anyone knows of an 
easier way.

1. All remote stations will be setup to listen on a udp port just as now.
2. No two remote stations will use the same listen port.
3. All remote stations will send udp packets to the same IP and port.(i.e the 
real IP of the firewall and whatever port has been forwarded to the cipe 
box).
4. On the cipe box on the firms network the cipe configuration will be such 
that each interface listens on localhost on the same udp port as the remote 
server is listening on.
5. On the cipe box I will run a proxy udp server which looks at the incoming 
udp packets and forwards them to the udp port on localhost that is the same 
as the source udp port in the original packet.

cipe config files:

Remote 1 (cipcb0)

ptpaddr         192.168.255.1
ipaddr          192.168.1.1
me              0.0.0.0:5101
peer            aaa.bbb.ccc.ddd:5100

Remote 2 (cipcb0)

ptpaddr         192.168.255.1
ipaddr          192.168.2.1
me              0.0.0.0:5102
peer            aaa.bbb.ccc.ddd:5100

Remote 3 (cipcb0)

ptpaddr         192.168.255.1
ipaddr          192.168.3.1
me              0.0.0.0:5103
peer            aaa.bbb.ccc.ddd:5100

Server is on IP 10.0.0.1 behind the NAT firewall. So aaa.bbb.ccc.ddd:5100 
gets 
forwarded to 10.0.0.1:5100

Server 1 (cipcb1)

ptpaddr          192.168.1.1
ipaddr         192.168.255.1
me            127.0.0.1:5101
peer            0.0.0.0:5101

Server 2 (cipcb2)

ptpaddr          192.168.2.1
ipaddr         192.168.255.1
me            127.0.0.1:5102
peer            0.0.0.0:5102

Server 3 (cipcb3)

ptpaddr          192.168.3.1
ipaddr         192.168.255.1
me            127.0.0.1:5103
peer            0.0.0.0:5103

Example proxy action (proxy listens on 10.0.0.1:5100)

i/c packet: source port 5102, dest port 5100, source ip ppp.qqq.rrr.sss, dest 
ip 10.0.0.1
this gets changed to source port 5102, dest port 5102, source ip 
ppp.qqq.rrr.sss, dest ip 127.0.0.1

I doubt if I can do this at normal udp socket level but it will probably work 
by intercepting the packets with iptables.

Any comments anyone. Perhaps there's a really easy way to do this already and 
I just skipped over it.

Best regards to everyone

Allan


<< | Thread Index | >> ]    [ << | Date Index | >> ]