background. The masquerade action for instance strips the source IP and applies the router’s
public (outgoing) IP while destination NAT strips the destination IP address or port and
applies a different destination IP address or port. There is another useful action called
“redirect” that is often used for certain applications.
Consider an example. You operate a network and use your upstream provider’s DNS servers
for your customers. Many of your customers have static IP’s and static DNS entries. For
whatever reason the decision is made to change upstream providers, however, your current
provider does not allow DNS resolution from IP’s outside its network. Obviously you could
use a NAT rule with masquerade to masquerade the old provider’s public IP’s and treat them
as private IP’s while you are transitioning over to the new provider, but what about the static
DNS entries? This is where the redirect action can step in.
Think of redirect as a transparent NAT, it transparently applies a NAT action to packets
based on matching criteria. The other important thing to remember for a redirect rule is that it
“captures” the traffic and processes it on the router itself. This is a different action than a
destination NAT rule with an action of destination NAT.
To summarize the difference between these two types of rules, think of it like this: A NAT
rule with an action of destination NAT sends the traffic to a host while a destination NAT rule
with an action of redirect “captures” the traffic and processes it on the router.
Getting back to our example, we can remedy the DNS issue by capturing the DNS requests on
the router and processing them there using the router’s internal caching DNS server. We will
discuss caching DNS later in this book, but let it suffice to say for now we have already
configured caching DNS on the router and it is able to resolve DNS requests from the new
provider’s DNS servers. In this case, simply create a new destination NAT rule with
matchers for protocol TCP, port 53, and an action of redirect to port 53. The second rule we
need is a duplicate of the first with a protocol of UDP. These two rules will capture all DNS
requests trying to go to our old provider’s DNS servers and answer them on the router itself.
We can then take our time doing the IP transition on the network to the new provider’s IP’s.
Another example of using redirect is to create a transparent proxy. If we aren’t familiar with
proxy servers (the most popular one is called Squid), their function is to accept web requests
(HTTP traffic) and then proxy those requests to the public network. These pages fetched may
be stored in memory or on disk for later serving to proxy clients. This speeds up network
access, enables the use of access rules to restrict use of the Internet, and gives the ability to
redirect web pages, or many other useful functions described later in this book under the IP
Web Proxy function.
If we want this function to be applied without the knowledge of your clients or users and
without intervention on their part, again a redirect rule is the answer. In this scenario, create a
new destination NAT rule matching protocol TCP, port 80, with an action of redirect to port
8080 (or whatever port we have IP Web Proxy running on at the router). Once configured, all
HTTP requests to the Internet will be intercepted at the router and handled by the proxy
server.
No comments:
Post a Comment