Re: Correctly classifying iptables NAT beahaviour...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2009-10-07 at 12:26 +0200, Jozsef Kadlecsik wrote:
> As I wrote at netfilter-devel around May this year,
> 
> - According to the terminology of RFC 3489, netfilter implements port 
>   restricted cone NAT. If the --random flag is specified to the 
>   SNAT/MASQUERADE/... targets, it's better described as a symmetric NAT.


Hmm, seems I got it completely wrong, sorry about that.



use IO::Socket;


my $HOSTNAME="www.leo.org";
my $PORT1="33333";
my $PORT2="44444";

my $handle = IO::Socket::INET->new(Proto => 'udp', LocalPort => 22222);

my $ipaddr   = inet_aton($HOSTNAME);
my $portaddr1 = sockaddr_in($PORT1, $ipaddr);
my $portaddr2 = sockaddr_in($PORT2, $ipaddr);

send($handle, "test", 0, $portaddr1);
send($handle, "test", 0, $portaddr2);



results in the following two conntack entries (port restricted) =>

udp      17 25 src=<INTERNAL> dst=80.190.158.9 sport=22222 dport=33333
packets=1 bytes=32 [UNREPLIED] src=80.190.158.9 dst=<EXTERNAL>
sport=33333 dport=22222 packets=0 bytes=0 mark=0 use=1

udp      17 25 src=<INTERNAL> dst=80.190.158.9 sport=22222 dport=44444
packets=1 bytes=32 [UNREPLIED] src=80.190.158.9 dst=<EXTERNAL>
sport=44444 dport=22222 packets=0 bytes=0 mark=0 use=1


And in the following with --random (symmetric) =>

udp      17 28 src=<INTERNAL> dst=80.190.158.9 sport=22222 dport=44444
packets=1 bytes=32 [UNREPLIED] src=80.190.158.9 dst=<EXTERNAL>
sport=44444 dport=3407 packets=0 bytes=0 mark=0 use=1

udp      17 28 src=<INTERNAL> dst=80.190.158.9 sport=22222 dport=33333
packets=1 bytes=32 [UNREPLIED] src=80.190.158.9 dst=<EXTERNAL>
sport=33333 dport=6327 packets=0 bytes=0 mark=0 use=1


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux