IPTables question

[klussier at comcast.net]

 -------------- Original message ----------------------
From: Ben Scott <dragonhawk at gmail.com>
> On 12/15/05, klussier at comcast.net <klussier at comcast.net> wrote:
> > The clients IP address can change from, say, 192.168.0.3 to 192.168.0.54 (or 
> any other
> > address, I'm just making these up), but the session to the server needs to be 
> maintained.
> 
>   I don't think that is possible with "off the shelf" IPTables.  I'm
> think you could do it with enough custom code, but not easily.

I thought that there was a way to do this with the state and connection tracking. But, like I said, I haven't touched iptables in quite some time. 

>  > The NAT box will know when the ip address changes and what the new
> address is.
> 
>   How does it know that?

Through session signaling (possibly a SIP re-invite).
 
>   Can you explain what the situation is?

Possibly. Well, I can explain it to the best of my ability, that it. I don't completely understand some of this myself, so.....

There is client software running on the client system. That software talks to an app running on the NAT box. It uses SIP (I think) for signaling. When the IP address on the client changes, it sends a reinvite to the NAT box to tell it what the new IP address is. So, if the client, 192.168.1.3, is trying to connect to a web site, it goes to www.foo.com port 80. The client initiates it using port 1234 (making this up). It goes through the NAT box, and the NAT box sends is out using it's external fixed address, 10.0.0.10 on port 5505. www.foo.com talks to the NAT box 10.0.0.10 on port 5505. So when the client changes IP addresses, www.foo.com needs to continue talking to the NAT box on port 5505, and the NAT box needs to send the packets to 192.168.1.4 now. 

I hope that makes it more possible :-)

Thanks,
Kenny