Hello, Florin Andrei a écrit : [...]
Since HTTP is the only thing traversing the firewall,
Really ? No ICMP error messages, no outgoing DNS queries ?
The problem is, NAT seems to imply stateful filtering. The moment I start playing with the nat table, the ip_conntrack module gets loaded.
Iptables NAT is stateful by design and requires the connection tracking. However it does not imply stateful filtering, i.e. the use of connection tracking matches such as 'state' or 'conntrack' in filtering rules.
Is there a way to do NAT on a true stateless firewall? (no conntrack loaded)
There used to be a stateless NAT implemented in routing code of old kernels enabled by the option CONFIG_IP_ROUTE_NAT. It could be set up with 'ip rule' and 'ip route' commands. But it was considered broken and has been removed since version 2.6.9. However it is still present in recent 2.4 kernels.
If the answer to the previous q is negative, can I just ignore conntrack and build the filter and nat tables as if conntrack would not exist?
Yes, of course. But keep in mind that iptables NAT is stateful by design.
I stumbled upon "-t raw" and I'm testing it, looks like it does what I need.
If you mean using the NOTRACK target, this is a bad idea. Packets in the UNTRACKED state will be ignored by the connection tracking *and* thus by the stateful NAT which depends on it.
