UoM::ITS::RI::FTM

Group

Feed The Monster

NAT as a Service! (2016 April 09)

Background
All Research IT computational platforms (e.g., the CSF and DPSF (nee Hydra)) are directly accessible from on-campus only, for very good security-related reasons. Users who wish to access the platforms from off-campus must use either the University VPN, or our SSH gateways.

In fact, no network traffic at all is possible, directly, from our computational platforms to/from off-campus.
User Requirement
Increasingly, platform users which to access data-sets which are located off-campus as part of their computational work. This is commonly the case in bioinformatics work.
Solution: Network Address Transation as a Service!
We provide a Linux server which offers Network-Address-Translation-as-a-Service. Example:
  • Connections come from campus-only hosts to a given port on the NATaas host;
  • are DNATed to the required IP:port,e.g., 3306 at EnsembleDB for there SQL service;
  • are SNATed to a public IP address and directed off-campus to the appropriate destination;
  • return traffic also goes through the NATaaS host.
Configuration Details
Minimal IPTables config is given below.
echo 1 > /proc/sys/net/ipv4/ip_forward

# ------------------------------------------------------------------------------------------
# -- PRE/DNAT AND POST/SNAT :
# ------------------------------------------------------------------------------------------

# ensembldb.ensembl.org, 3306                                                                                     
#  -- aka ensembldb.sanger.ac.uk.                                                                                 
#  -- 193.62.203.187  

$IPT -t nat -A PREROUTING -p tcp -i $EXTINT --dport 3377 -j LOG --log-prefix "**DNAT:3377**"
$IPT -t nat -A PREROUTING -p tcp -i $EXTINT --dport 3377 -j DNAT --to 193.62.203.187:3306

$IPT -t nat -A POSTROUTING -p tcp -d 193.62.203.187 --dport 3306 -j LOG --log-prefix "**SNAT:Ensemble**"
$IPT -t nat -A POSTROUTING -p tcp -d 193.62.203.187 --dport 3306 -j SNAT --to 130.88.97.228


# ------------------------------------------------------------------------------------------
# --  NATaaS FORWARDing :
# ------------------------------------------------------------------------------------------

$IPT           -N NATAAS_FORWARDS
$IPT           -A FORWARD          -p tcp -d 193.62.203.187 --dport 3306  -j NATAAS_FORWARDS
$IPT -t filter -A NATAAS_FORWARDS  -j ACCEPT