Fwd: IPTables and different types of NAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I still don't have a clear answer whether it is possible or not to implement all types of NAT. 

So, has anyone implemented *any* kind of NAT?
If so, how have you done?

Best Regards
Pedro


---------- Forwarded message ----------
From: *Grant Taylor* <gtaylor@xxxxxxxxxxxxxxxxx <mailto:gtaylor@xxxxxxxxxxxxxxxxx>> 
Date: Feb 7, 2007 7:01 PM
Subject: Re: IPTables and different types of NAT
To: Mail List - Netfilter <netfilter@xxxxxxxxxxxxxxxxxxx <mailto:netfilter@xxxxxxxxxxxxxxxxxxx>> 

Pascal Hambourg wrote:
> No. Please read more carefully the definitions of "restricted cone NAT"
> and "port restricted cone NAT". Neither can be implemented with iptables
> because they do not fit in the per-connection model.

"""With restricted cone NAT, all requests from the same internal IP
address and port are mapped to the same external IP address and port.
Unlike a full cone NAT, an external host can send a packet to the
internal host only if the internal host had previously sent a packet to
it."""

"""Port restricted cone NAT or symmetric NAT is like a restricted cone
NAT, but the restriction includes port numbers. Specifically, an
external host can send a packet to a particular port on the internal
host only if the internal host had previously sent a packet from that
port to the external host."""

The only other thing that comes to mind is that IPTables by its self
does not by default filter based on connection(s) and / or state.
However, there are match extensions that can be used to augment a basic
IPTables rule to do just that.  I.e.  CONNMARK in conjunction with MARK.

> "Symmetric NAT" works on a per-connection basis and is the NAT form that
> is the easiest to implement with iptables using SNAT or MASQUERADE.

I understood Symetric NAT to be a form of "one to many" or "many to
many" NATing.  The key part being the "... to many" in where multiple
external IPs would be used.  I know that it is possible (though I have
not done it) to specify a range to SNAT traffic with IPTables to a range
of IP addresses.  I was not aware that MASQUERADE would do the same
thing.  I was under the impression that MASQUERADE used the single IP on
an interface as the IP to SNAT traffic to.



Grant. . . .
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux