On Tue, 6 Oct 2009, Toby Bradshaw wrote: > I notice that the default iptables MASQ and SNAT behaviour appears to be an > odd hybrid of both port restricted and symmetric NATs. As long as the host > behind the iptables NAT is the first sender then the external firewall port > becomes open and packets sent from in reply from the right ip:port will pass > through the firewall. This is classic port restricted behaviour. However, if a > packet is sent first from an external host to the ip:port address that would > have been used by an internal host then when the internal host attempts to > send to the same external host it's port becomes changed on the way through > NAT (usually to 1024 in my experience). This is classic symmetric behaviour. As I wrote at netfilter-devel around May this year, - According to the terminology of RFC 3489, netfilter implements port restricted cone NAT. If the --random flag is specified to the SNAT/MASQUERADE/... targets, it's better described as a symmetric NAT. - According to the terminology of RFC 4787 and RFC 5382, netfilter implements - endpoint-independent mapping. If the --random flag is specified to the SNAT/MASQUERADE/... targets, it's an address and port-dependent mapping. - address and port-dependent filtering. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html