NAT only - No connection tracking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2002-11-11 at 20:21, Brad Chapman wrote:
> 
> Basically, if this person wants to do NAT, he has to do connection tracking as well.
> LYSB, he doesn't have to run ctrack without NAT, but without ctrack the current
> implementation of NAT in netfilter won't work. If there are other stateless NAT
> kernel implementations available that attach to netfilter, then I am currently
> unaware of them.
> 
Hi Brad & Antony,

There is one other way to do NAT without connection tracking - this is
even possible on 2.2 kernels. There is some NAT functionality in the
routing code (policy routing, advanced routing).

This is a form of NAT where only the IP addresses in the IP header
are changed, no data inside the packet payload is inspected or changed.
Also, there is no automatic retranslation of return packets, like with
iptables.

The syntax is a little different and takes some time to get used to;
basically you get something like this:

ip rule add from 192.168.1.32/27 nat 10.1.1.32 prio 14000
ip route add nat 10.1.1.32/27 via 192.168.1.32

to set up NAT rules.

For more info, see the iproute documentations. I can also recommend
the book "Policy Routing with Linux" by Matthew G. Marsh, who is also
a contributor on this list.

The book is being released online at http://www.policyrouting.org/,
but is definately worth the buy.

Regards,
Filip







[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux