|
Initiating an AICCU connection from a local fixed port
![[fr]](/s/countries/fr.gif) Shadow Hawkins on Thursday, 07 October 2010 14:08:11
Hi all,
My server runs Debian Squeeze with no issue. In order to make clear firewalling rules at ipv4 level I wonder if AICCU can be forced to use a fixed outbound local port instead of a random one. Did I miss something in config options or elsewhere ?
Thanks, Laurent
Initiating an AICCU connection from a local fixed port
Which part of AICCU, as it implements a number of seperate protocols, most of which can not easily be thought to source from a specific port especially as it is made for sitting behind a NAT in the first place.
Initiating an AICCU connection from a local fixed port
Shadow Hawkins on Thursday, 07 October 2010 17:25:48
I was talking about AYIYA tunnels. Since the UDP tunnel is opened from a random port on the client to the remote endpoint on port 5072, I would also like to be able to connect from a predefined port on my client-side.
This Debian server is forwarding a /64 subnet to my lan and is behind an ethernet router connected to a residential NAT gateway.
Initiating an AICCU connection from a local fixed port
You can filter on the destination IP/port in that case, as that is fixed.
Initiating an AICCU connection from a local fixed port
Shadow Hawkins on Thursday, 07 October 2010 18:07:14
It is indeed already done in RAW table (with a NOTRACK target) and in MANGLE table (with TOS targets) and accepted toward both directions in FILTER table. But as you will guess it, I cannot setup the intermediate router to forward a random port back to the server. And consequences I see are that some packets get lost notably tunnel monitoring icmp6 echo-request/reply packets, possibly more. I'm about to examine this udp tunnel traffic between the gateway an the router, btw.
Initiating an AICCU connection from a local fixed port
Shadow Hawkins on Thursday, 07 October 2010 18:13:43
... I dont know where an how many udp packet are lost, so I wanted to add a forward rule for a possible predefined client port to (hope so) circumvent the problem caused by the double-NAT operation. Maybe I'm wrong in this case.
Initiating an AICCU connection from a local fixed port
Shadow Hawkins on Friday, 08 October 2010 10:51:18
hm... tcpdump shows me that packets are probably sometimes dropped by my NAT gateway, since crossing or bypassing the second router don't change anything => More or less an average 10% ping loss in either direction (PoP <-> endpoint) during echo-request/reply with peaks up to 40%...
|
![[ch]](/s/countries/ch.gif)
on Thursday, 07 October 2010 15:20:22
Posting is only allowed when you are