Re: TCP simultaneous open using iptables NAT?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 28 May 2009, sachin sanap wrote:

> On Thu, May 28, 2009 at 2:28 PM, Jozsef Kadlecsik
> <kadlec@xxxxxxxxxxxxxxxxx> wrote:
> > On Wed, 27 May 2009, Saatvik Agarwal wrote:
> >
> >> For my research project in school, I am trying to establish TCP
> >> connections when both hosts are behind full-cone NATs using TCP's
> >> simultaneous open functionality. Unfortunately, it seems that iptables
> >> does not support TCP simultaneous open. For my test environment, I
> >> simulate a full-cone NAT using iptables. My iptables rule is exactly
> >> as follows:
> >>
> >> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> >
> > That rule cannot simulate full-cone NAT, because netfilter implements
> > port-restricted cone NAT.
> I agree to most of stuff that you have said but the above statement of
> "port-restricted cone NAT" confuses me.
> If we look at different types of NATs as mentioned here
> www.crfreenet.org/~martin/referaty/stun/naty.pdf , i think the
> netfilter implementation is really a symmetric NAT.
> Iam I missing some thing?

It depends.

With MASQUERADE it's a port-restricted cone NAT.

Using the --random flag with SNAT you can almost create a symmetric NAT 
with netfilter, except that the "requirements" of the symmetric NAT (RFC 
3489) includes mapping to an unique source IP address and port whenever 
the same internal host connects to different external hosts. However 
netfilter creates an unique tuple (mapped src IP, mapped src port, dst IP, 
dst port) not just an unique pair of (mapped src IP, mapped src port).

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux