Re: Unmatchable packet?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


-----Original Message-----
From: Philip Craig <philipc@xxxxxxxxxxxx>
Subject: Re: Unmatchable packet?

> On 11/23/2005 11:46 AM, Jesse Gordon wrote:
> > I actually want to rewrite the source IP of TCP packets that exit a given 
> > ethernet card -- even (especially) if they are generated as responses 
> > to incoming connections to the box.
[Snip] 

> You can't do this with iptables.  NAT rules only match the first packet
> of a connection, and the NAT mapping that is determined for that first
> packet is applied to all subsequent packets in that connection.
> 
> Futhermore, it doesn't make sense to do this.  The client will receive
> packets from your arbitarily assigned source address, but will not know
> what to do with them since it never sent any packets to that address,
> and so it will just drop them.

Ahh, thanks! Can't be done. That explains my lack of success!

I agree -- to do as my little example showed would be useless -- but my
real goal is to route the reply traffic via a different route than the
request traffic -- I already got it to send the replies out a different
network interface then the requests came in, but I haven't yet figured out
how to rewrite the source address of the replies.

I only simplified the example so that no other unneeded data would
obfusticate what I was saying.

By using a second box with iptables as an inbetween gateway, or with proxy
arp filtering or ethernet bridging, I could probably do exactly what I
want. Perhaps I'll see what ebtables can do for me.

I don't quite understand why iptables wouldn't be able to match just any
packet going into or out of any given network card, regardless of whether
it was related to any other packet or not.

I may be a little confused. It seems to me that my experiments showed that
the act of permitting a certain packet criteria to exit a specified
ethernet port does not inherently permit the responses for that connection
back in. It seems to me that I had to either tell it to allow related in,
or specifically allow the replies back. I'll check into it more.

Thanks very much!

-Jesse Gordon
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux