Hi all, I was trying to write some iptables rules to perform NAPT. I had the following doubts: 1. When I specified the following rule: >sudo iptables -t nat -A POSTROUTING -d 10.20.3.81 -j SNAT --to 10.19.11.1:1-500 I got the following error:- iptables v1.4.4: Need TCP, UDP, SCTP or DCCP with port specification. Is there anyway to specify a single rule to cover all the protocols? I got the same error when i specified '-p 0'. Are there any protocols that don't work with NAPT? 2. Would NAPT work in case of application layer protocols like FTP, where the application code requires port numbers? I came across ALG and conntrack modules. I don't really have clarity in this regard to know if there are any application layer protocols that would fail to work with NAPT. If yes, is there anyway to get around this? 3. If I am not mistaken the NAT RFC states that NAPT won't work if the packets are already segmented as the segments don't contain port information. Is there anyway to get around this? Also, are there any such scenarios where NAPT would fail? 4. If NAT is done instead of NAPT, by specifying a one - to - one mapping for each flow using iptables, does that guarantee that port multiplexing will not be used? Is NATing more stable that NAPT? Thanks, Ajay -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
