Mart Frauenlob wrote:
netfilter-owner@xxxxxxxxxxxxxxx wrote:
Dear all,
I'm using iptables 1.3.8, and I need to implement a full cone NAT
which had to be capable of doing the following:
1. A packet is sent from a machine in the LAN from Address1:port100
to a machine in the WAN with Address3:port200, the NAT converts the
local Address1:port100 to Address2:port100 which is the address
assigned to the home router by the ISP. So this packet is sent with
source: Address2:port100 and destination: Address3:port200.
2. The packet received by the machine in the WAN in 1) is processed
and then the answer comes from a different machine with a different
address but using the same ports. So the response packet is sent by
Address4:port200 to Address2:port100. So this packet has source:
Address4:port200 and destination: Address2:port100.
3. When the home router receives the response packet it has to ignore
the sending address in the matching table, so that all traffic
received in Address2:port100 is simply forward to Address1:port100.
This is just a Full Cone NAT.
I have read some tutorials about iptables and the only way I have
found to do this is make rule that forwards all traffic that arrives
in Address2:port100 to Address1:port100. This does the work for just
one machine on the LAN which has a static ip and will always contact
the same machine on the WAN.
What I really want to do is implement a Full Cone NAT in which a
packet sent from Address1:port100 which is translated to
Address2:port100 by the NAT and goes to Address3:port200, activates
port100 in the home router so that any packets arriving in port100
will be forwarded to Address1:por100. And this would just work for
any number of machines.
Is there anyway of doing so in the actual iptables or I will have to
add this feature to iptables?
Best Regards
Hugo Mendes
Just for curiosity:
sorry if I write complete nonsense, I've never ever hacked with
libnetfilter...
This is based on the assumption, that it's possible to create
conntrack entries from within libnetfilter, which may be completely
wrong...
ok trying to figure:
Lan host A1:100 sends packet to WAN host A3:200. packet arriving at
the router, it is sent to nfqueue.
There a conntrack entry is created, to expect the answer from WAN host
A4:200.
The NAT to A3 is still done.
Packet goes to A3, comes back from A4:200, conntrack sees the entry we
created in our nfqueue.
Now a rule should NAT that packet as coming from A2 (so client A1 will
not talk back to A4).
Finally the packet gets forwarded to the client, which only sees his
talking with A2.
The whole thing iterates again...
should be:
Now a rule should NAT that packet as coming from A3 (so client A1 will
not talk back to A4).
Finally the packet gets forwarded to the client, which only sees his
talking with A3.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html