Appreciate the lucid reply. Replies inline. On 5/28/09, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > On Wed, 27 May 2009, Saatvik Agarwal wrote: > > > For my research project in school, I am trying to establish TCP > > connections when both hosts are behind full-cone NATs using TCP's > > simultaneous open functionality. Unfortunately, it seems that iptables > > does not support TCP simultaneous open. For my test environment, I > > simulate a full-cone NAT using iptables. My iptables rule is exactly > > as follows: > > > > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > > That rule cannot simulate full-cone NAT, because netfilter implements > port-restricted cone NAT. Would both SNAT and DNAT together simulate a full-cone NAT? > > According to the BEHAVE requirements outlined in IETF RFC 5382, TCP > > simultaneous open must be supported by "well behaved NATs". So is > > there a mistake in my rules or does iptables not support simultaneous > > open? > > > The connection tracking subsystem does not support TCP simultaneous open. > > As far as I'm concerned, I do not care whatever RFC is created in trying > to push NAT over its limits - that is just a totally wrong track. NAT was > invented solely to slow down the depletion of the IPv4 address space in > the hope to give more time introducing and *deploying* IPv6 world-wide. > And everyone was fully aware that NAT breaks one of the key concempts of > IP, the end-to-end connectivity. These "NAT behavioral requirements" RFCs > are the results of that breakage (and written exclusively from the point > of view of the application designers). Agreed. I was trying to develop a NAT traversal library solely for application developers. I guess I'll test with actual NATs/routers instead of iptables. > It is no point trying to *put back* end-to-end connectivity on top of NAT > when the clear and straight solution is to go to IPv6. > > The end-to-end connectivity is the very reason why I refuse the idea to > implement NAT for IPv6 in netfilter. The damage what IPv4 NAT produced > hasn't taught us not to repeat the same mistake again, willingly? I wholeheartedly agree that implementing NAT for IPv6 would be absolutely bone-headed. :) Thanks, Saatvik > Best regads, > Jozsef > - > E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address : KFKI Research Institute for Particle and Nuclear Physics > H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
