lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:	Tue, 29 Aug 2006 10:07:48 +0200 (MEST)
From:	Jan Engelhardt <>
To:	Innocenti Maresin <>
cc:	LKML <>,
Subject: Re: Q: remapping IP addresses for inbound and outbound traffic


>The software of this box needs to connect all hosts in both networks, and
>also to receive inbound TCP connections.  The evident way is to "remap"
>overlapping IPv4 area of one network to some "place" not used neither in it
>nor in other.  This means that, when we receive a packet from remapped area,
>the kernel should replace the source IP to an "internal representaion". 
>Versa, sending something to "internally represented" IP the kernel should
>replace such IP by its external value.  I clarify these terms so carefully
>because in news:comp.os.linux.networking some people state that I "use terms
>in strange ways" :)
>The question is: how to do it? Please, don't say quicky "iproute2" and
>"RTFM".  Iproute2 can do such things when *forwarding* packets.  I need no
>forwarding at all, no *connection* between 2 networks.  I need only to
>*serve* both networks, such that some "external" IPs need to be replaced by
>internally used IP and versa.  All this at one Linux box. No forwarding
>traffic. Only inbound and outbound.

I am working on a small module doing something like that, changing IP 
addresses before the NAT code sees them, in mangle.

I still cannot get outgoing mangled packets (see command below) to reach 
their destination:

  iptables -t mangle -A POSTROUTING -d -j MAP \

ping and TCP packets seem to leave the box (tcpdump), but there are no 
responses (neither negative responses). The destination box's tcpdump also 
shows nothing.
netfilter list, am I missing something like recalculating IP checksums?

Jan Engelhardt
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists