I just read this message by Mark Andrews on the BIND mailing list. It explains the possible issues with DNSSEC and over-protective firewalls, giving test-commands to verify your setup. This post is also interesting for regular DNS traffic, since a firewall doesn’t know the difference.
Posts tagged ‘NAT’
When doing some research on the different tables in iptables, I was trying to figure out in what order what tables are traversed. Obviously PREROUTING happens before POSTROUTING, but it becomes more difficult to figure out if mangle happens before are after nat.
I found a post which links to this overview:
IPv6 is, big surprise, the new version of IP. The current internet runs on IPv4, which has some drawbacks. Practically both versions are the same: they allow connections from one host to another host. Technically however, there are some major differences, most notably the enlarged address space. For the moment, most hosts will run a dual-stack configuration.
I decided that it was time to implement IPv6 on my home network and get a IPv6 connection to the IPv6-Internet.
Recently I had to configure a router serving as an IPsec-GRE endpoint. So far, nothing special. The interesting part is that the terminating router is behind a NAT-device which changes the outer IP-header of the IPsec tunnel. Of course, the GRE-header is NOT affected by the NAT (since it is encrypted).
To summarize, the device needs to:
- terminate an IPsec tunnel between 172.16.2.2 <-> 10.0.0.4 (its own IP); but authenticate as 172.16.2.4
- terminate a GRE tunnel between 172.16.1.1 <-> 172.16.2.4 (a public IP that is NATed towards it)
The diagram is shown below:
172.16.x.x addresses are “public”; 10.x.x.x are private.
Continue reading ‘Terminating an IPsec-GRE tunnel behind NAT’ »
