Feed The Monster
NAT as a Service! (2016 April 09)
- Background
-
All Research IT computational platforms (e.g., the
CSF and
DPSF (nee Hydra))
are directly accessible from on-campus only, for very good security-related
reasons. Users who wish to access the platforms from off-campus must use
either the University VPN, or our SSH gateways.
In fact, no network traffic at all is possible, directly, from our computational platforms to/from off-campus. - User Requirement
- Increasingly, platform users which to access data-sets which are located off-campus as part of their computational work. This is commonly the case in bioinformatics work.
- Solution: Network Address Transation as a Service!
-
We provide a Linux server which offers Network-Address-Translation-as-a-Service.
Example:
- Connections come from campus-only hosts to a given port on the NATaas host;
- are DNATed to the required IP:port,e.g., 3306 at EnsembleDB for there SQL service;
- are SNATed to a public IP address and directed off-campus to the appropriate destination;
- return traffic also goes through the NATaaS host.
- Configuration Details
-
Minimal IPTables config is given below.
echo 1 > /proc/sys/net/ipv4/ip_forward # ------------------------------------------------------------------------------------------ # -- PRE/DNAT AND POST/SNAT : # ------------------------------------------------------------------------------------------ # ensembldb.ensembl.org, 3306 # -- aka ensembldb.sanger.ac.uk. # -- 193.62.203.187 $IPT -t nat -A PREROUTING -p tcp -i $EXTINT --dport 3377 -j LOG --log-prefix "**DNAT:3377**" $IPT -t nat -A PREROUTING -p tcp -i $EXTINT --dport 3377 -j DNAT --to 193.62.203.187:3306 $IPT -t nat -A POSTROUTING -p tcp -d 193.62.203.187 --dport 3306 -j LOG --log-prefix "**SNAT:Ensemble**" $IPT -t nat -A POSTROUTING -p tcp -d 193.62.203.187 --dport 3306 -j SNAT --to 130.88.97.228 # ------------------------------------------------------------------------------------------ # -- NATaaS FORWARDing : # ------------------------------------------------------------------------------------------ $IPT -N NATAAS_FORWARDS $IPT -A FORWARD -p tcp -d 193.62.203.187 --dport 3306 -j NATAAS_FORWARDS $IPT -t filter -A NATAAS_FORWARDS -j ACCEPT