hi, Chemko Thank you. I have found some information in the netfilter Documentation. I also have read some codes of the netfilter. In the Documentation NAT HOWTO: -------------------- Implicit Source Port Mapping Even when no NAT is requested for a connection, source port translation may occur implicitly, if another connection has been mapped over the new one. Consider the case of masquerading, which is rather common: A web connection is established by a box 192.1.1.1 from port 1024 to www.netscape.com port 80. This is masqueraded by the masquerading box to use its source IP address (1.2.3.4). The masquerading box tries to make a web connection to www.netscape.com port 80 from 1.2.3.4 (its external interface address) port 1024. The NAT code will alter the source port of the second connection to 1025, so that the two don't clash. When this implicit source mapping occurs, ports are divided into three classes: Ports below 512 Ports between 512 and 1023 Ports 1024 and above. A port will never be implicitly mapped into a different class. -------------------- In the source code of netfilter: -------------------- ip_nat_proto_tcp.c function tcp_unique_tuple(); the function handled the problem. -------------------- Thanks . Chen Jian. -----Original Message----- From: Daniel Chemko [mailto:dchemko@xxxxxxxxxx] Sent: Friday, 2003 09 26 AM 06:38 To: Chen Jian; netfilter@xxxxxxxxxxxxxxxxxxx Subject: RE: a problem about NAT. Too my knowledge, you can't have more than one Src,SrcPort,Dst,DstPort match, so if they simultaneously connect to the same destination with the same source, it won't work. I am not sure what Linux would do in such circumstances. One idea would be to write a helper application that uses other information in the packet's Layer 7 data to distinguish between the three connections. But if it happens to be three HTTP connections, there isn't any 'DNA' that can be used to tell the three ports apart. This can all be found in ip_conntrack.c and ip_conntrack_proto_tcp.c or ip_conntrack_proto_udp.c. The NAT portion only kicks in after CONNTRACK, so if CONNTRACK can't handle it, NAT won't either. You're only solution may be to have each client connecting to the destination on different (hard coded?) IP addresses. -----Original Message----- From: Chen Jian [mailto:ChenJ@xxxxxxxxxxxxx] Sent: Wednesday, September 24, 2003 7:08 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: a problem about NAT. hi, all There are 3 machine behind the NAT server. When the 3 machine request the same Web server outside, NAT use 3 different source port to distinguish the 3 connection. My problem is when the 3 machine have the same source port , how netfilter handle it ? I also want to know where the handle code is . Thanks . --
