On Thu, 28 May 2009, Jozsef Kadlecsik wrote:
> On Wed, 27 May 2009, Saatvik Agarwal wrote:
>
> > For my research project in school, I am trying to establish TCP
> > connections when both hosts are behind full-cone NATs using TCP's
> > simultaneous open functionality. Unfortunately, it seems that iptables
> > does not support TCP simultaneous open. For my test environment, I
> > simulate a full-cone NAT using iptables. My iptables rule is exactly
> > as follows:
> >
> > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> That rule cannot simulate full-cone NAT, because netfilter implements
> port-restricted cone NAT.
In order to describe the mapping and filtering behaviour of netfilter as
complete as possible, I have to add the following:
- According to the terminology of RFC 3489, netfilter implements port
restricted cone NAT. If the --random flag is specified to the
SNAT/MASQUERADE/... targets, it's better described as a symmetric NAT.
- According to the terminology of RFC 4787 and RFC 5382, netfilter
implements
- endpoint-independent mapping, if the --random flag is not
specified to the SNAT/MASQUERADE/... targets, otherwise it's an
address and port-dependent mapping.
- address and port-dependent filtering.
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
