Allow generic MASQUERADE rules without corresponding DNAT rules #131

Closed
mrash opened this Issue Sep 10, 2014 · 3 comments

Projects

None yet

1 participant

@mrash
Owner
mrash commented Sep 10, 2014

Currently fwknopd supports the iptables MASQUERADE target, but only if DNAT rules are also used. A use case reported by "spartan1833" to the fwknop mailing list is to have fwknopd gate communications that would otherwise be forwarded through a gateway. So, internal clients would have their default gateway set to the internal IP of the system running fwknopd, and would only be allowed to send packets through the gateway after producing a valid SPA packet. The main problem before this issue is closed is that currently NAT operations are applied to IP packets that are sent directly to the gateway IP where fwknopd is running. What needs to be changed is that ability for clients to send packets to arbitrary destination IP's (and therefore DNAT is not needed) and have fwknopd manage MASQUERADE accept rules.

@mrash mrash self-assigned this Sep 10, 2014
@mrash
Owner
mrash commented Jan 17, 2015

Commit 6b7a3bb makes significant progress on this feature. More coming on this.

@mrash
Owner
mrash commented Apr 7, 2015

This feature is nearly complete with 8e6db3a

@mrash
Owner
mrash commented Apr 18, 2015

This feature is now complete for the upcoming 2.6.6 release.

@mrash mrash closed this Apr 18, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment