Hi Filip We already used ED mode to re-use the 8080 port
But we still cannot limit this rule only for specific source IP. Do you have any idea or advice for this? Thanks and appreciate Regards, Date ________________________________ 寄件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) <fiva...@cisco.com> 寄件日期: 2020年9月30日 下午 06:41 收件者: Date Huang <tjjh89...@hotmail.com>; Nathan Skrzypczak <nathan.skrzypc...@gmail.com> 副本: vpp-dev <vpp-dev@lists.fd.io> 主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port Hi Date, I would suggest looking into ED NAT out2in only translations. Just to point out (OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566 Let’s go with NAT in VPP set interface nat44 in LAN out WAN nat44 add address (NAT ADDRESS) nat44 add static mapping tcp local (INSIDE HOST) (INSIDE PORT) external (NAT ADDRESS) 8080 out2in-only . ED �C endpoint dependent NAT will let you reuse 8080 port for other connections. Best regards, Filip Varga From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Date Huang Sent: Wednesday, September 30, 2020 9:55 AM To: Nathan Skrzypczak <nathan.skrzypc...@gmail.com> Cc: vpp-dev <vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] Static NAT rule only match specific source ip or port Importance: High Hi Nathan [sorry send this mail again, I found that I didn't cc vpp-dev mailing list] so glad to see your reply. My English is poor, so if there is some confusing term, please tell me. I will try my best to describe it with some graph. Just to be sure to understand your use case, you want to have the following translations happening : * X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 * (not X.X.X.X):* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> W.W.W.W:1234 Do you also need other NATing to happen (e.g. deterministic / sourceNATing ?) Also are you in a home-gateway scenario a.k.a do you have inside & outside interfaces respectively for Y.Y.Y.Y and Z.Z.Z.Z / W.W.W.W or should those be reachable from all interfaces ? If I used netfilter/iptables to explain. It will more like this. iptables -t nat -D PREROUTING -p tcp -s X.X.X.X -d Y.Y.Y.Y --dport 8080 -j DNAT --to-destination Z.Z.Z.Z:5566 when (not x.x.x.x) source IP comes in, don't do any DNAT for that. Only do DNAT for src_IP=X.X.X.X I also need this for LAN device to be out. "iptables -t nat -A POSTROUTING -o WAN_INTERFACE -j MASQUERADE" I only have two interface (named LAN, WAN) X.X.X.X, X2.X2.X2.X2 will be device ip outside WAN Y.Y.Y.Y will be WAN's ip Z.Z.Z.Z and W.W.W.W will be device inside LAN. And I want to re-use "--dport 8080" Detail: 1. First I want to translate Y.Y.Y.Y:8080 mapping to Z.Z.Z.Z:5566 if source ip is X.X.X.X setup Static NAT rule "match source ip=X.X.X.X and translate dst ip and port from `Y.Y.Y.Y:8080` to `Z.Z.Z.Z:5566`" * X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 (same as your description) *. (no X.X.X.X):* -> Y.Y.Y.Y:8080 NAT will not do anything. 2. X.X.X.X established connection to Z.Z.Z.Z:5566 with TCP, VPP will keep session in session tables and record translated rule "Y.Y.Y.Y:8080 -> Z.Z.Z.Z:5566" and "source IP need to be X.X.X.X:port_xx" So even there is no rule, VPP will use session to determine translate rule first before searching Static NAT rule. TCP connection will not be closed or denied by NAT function. 3. Remove Static NAT rule after establishing connection. remove Static NAT rule "match source ip=X.X.X.X and translate dst ip and port from `Y.Y.Y.Y:8080` to `Z.Z.Z.Z:5566`" TCP connection still need to be kept. X.X.X.X:port_xx still can connect Z.Z.Z.Z:5566 (same established connection) 4. I want to translate Y.Y.Y.Y:8080 mapping to W.W.W.W:1234 if source ip is X2.X2.X2.X2 setup Static NAT rule "match source ip=X2.X2.X2.X2 and translate dst ip and port from `Y.Y.Y.Y:8080` to `W.W.W.W:1234`" * X2.X2.X2.X2 :* -> Y.Y.Y.Y:8080 translated to X2.X2.X2.X2:* -> W.W.W.W:1234 (port overloading via conntrack if netfilter) * X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 (X still can connect to Z, even there is no Static NAT rule, if session is kept. this translation rule will be stored in session not Static NAT rule until TCP connection is timeout) * (no X.X.X.X) or (no X2.X2.X2.X2):* -> Y.Y.Y.Y:8080, NAT will not do anything. 5. X2.X2.X2.X2 established connection to W.W.W.W:1234 with TCP, VPP will keep session in session tables and record translated rule "Y.Y.Y.Y:8080 -> W.W.W.W:1234" and "source IP need to be X2.X2.X2.X2:port_xx2" So even there is no rule, VPP will use session to determine translate rule first before searching Static NAT rule. TCP connection will not be closed or denied by NAT function. 6. and so on. --- for now, we can only do this in NAT ED mode (any ip):* -> Y.Y.Y.Y:8080 translated to (any ip):* -> W.W.W.W:1234 (we cannot limit specific source ip to apply NAT translation, and deny other source ip for security issue) Thanks and appreciate for your reply. Regards, Date ________________________________ 寄件者: Nathan Skrzypczak <nathan.skrzypc...@gmail.com<mailto:nathan.skrzypc...@gmail.com>> 寄件日期: 2020年9月30日 下午 03:17 收件者: Date Huang <tjjh89...@hotmail.com<mailto:tjjh89...@hotmail.com>> 副本: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> 主旨: Re: [vpp-dev] Static NAT rule only match specific source ip or port Hi Date, Sorry for the late reply, I'm not sure this will be supported by the existing NAT plugin but it might be doable with few additions. Just to be sure to understand your use case, you want to have the following translations happening : * X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 * (not X.X.X.X):* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> W.W.W.W:1234 Do you also need other NATing to happen (e.g. deterministic / sourceNATing ?) Also are you in a home-gateway scenario a.k.a do you have inside & outside interfaces respectively for Y.Y.Y.Y and Z.Z.Z.Z / W.W.W.W or should those be reachable from all interfaces ? Best, -Nathan Le lun. 28 sept. 2020 à 08:36, Date Huang <tjjh89...@hotmail.com<mailto:tjjh89...@hotmail.com>> a écrit : Hi all Is it possible to create a static nat rule with match source ip or source port like IPtable command below? iptables -t nat -D PREROUTING -p tcp -s X.X.X.X -d Y.Y.Y.Y --dport 8080 -j DNAT --to-destination Z.Z.Z.Z:5566 For security issue, we want to allow only X.X.X.X to access port 8080. But we still need to re-use 8080 port in ED mode. 1. create rule A for port 8080 to mapping Z.Z.Z.Z:5566 and establish connection 2. after established, delete rule A, and connection need to be kept. 3. and only allow X.X.X.X to access rule A 4. create rule B for port 8080 to mapping W.W.W.W:1234 and establish connection 5. after established, delete rule B, two connection need to be kept. Thanks a lot Regards, Date
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#17608): https://lists.fd.io/g/vpp-dev/message/17608 Mute This Topic: https://lists.fd.io/mt/77214725/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-