Re: ipnat on same interface?

["Malcolm Herbert" <mjch%mjch.net@localhost>]

On Thu, 06 Jan 2011 23:12 +0100, "Lars-Johan Liman"
<liman%autonomica.se@localhost> wrote:
> Has anyone succeeded in configuring ipnat to do NAT/port forwarding
> to/from the same network interface? I have a service where I want to
> have a single frontend machine with a public IP address, and I want to
> avoid disclosing the public IP addressses of the actual (say three)
> machines that actually perform the service. I want to distinguish the
> actual machines by selecting ports on the frontend machine. The frontend
> machine only has one interface, so the packets need to go in and out
> through the same interface.

not sure whether you're talking ipf or pf here, but I suspect it's the
same answer for both - you can't do NAT in both directions on the same
interface.  There apparently is a method to set up this by bouncing
traffic via lo0 but I've only seen it mentioned as an aside without
details, sorry ... 

routing Internet traffic via lo0 is an ... interesting ... security
position as well ... :)

How much traffic are you talking about through this host?  If it's
fairly minimal, you may want to look at other application-level proxying
solutions, such as inetd+netcat or inetd+socat or a web-based reverse
proxy (squid is probably too heavy weight for this, but there are other
tools that are out there)

hope that helps ... 

-- 
Malcolm Herbert                                This brain intentionally
mjch%mjch.net@localhost                                                left 
blank