(sorry for top posting; Gmail mobile client) I'll try to answer your questions. 1. For an example: ICMP does not have ports. You should split the rule: -p tcp -g nr_napt -p udp -g nr_napt -p sctp -g nr_napt -p tcp -g nr_napt -j SNAT (without ports) -A nr_napt -j SNAT (with ports) 2. Yes, with helper. Prior to the SNAT rules above, place a rule with helper match: -m helper --helper ftp 3. Netfilter will perform a defragmentation in this case. 4. One-to-one will happen only if (in the case of SNAT) you use a -s match. If (like in your example) you use a -d match, it will still be NAPT, and port multiplexing will still happen. Others, feel free to CMIIW. Rgds, On 2011-03-09, ajay seshadri <seshajay@xxxxxxxxx> wrote: > Hi all, > > I was trying to write some iptables rules to perform NAPT. I had the > following doubts: > > 1. When I specified the following rule: > >>sudo iptables -t nat -A POSTROUTING -d 10.20.3.81 -j SNAT --to >> 10.19.11.1:1-500 I got the following error:- iptables v1.4.4: Need TCP, >> UDP, SCTP or DCCP with port specification. > > Is there anyway to specify a single rule to cover all the protocols? I > got the same error when i specified '-p 0'. Are there any protocols > that don't work with NAPT? > > 2. Would NAPT work in case of application layer protocols like FTP, > where the application code requires port numbers? I came across ALG > and conntrack modules. I don't really have clarity in this regard to > know if there are any application layer protocols that would fail to > work with NAPT. If yes, is there anyway to get around this? > > 3. If I am not mistaken the NAT RFC states that NAPT won't work if the > packets are already segmented as the segments don't contain port > information. Is there anyway to get around this? Also, are there any > such scenarios where NAPT would fail? > > 4. If NAT is done instead of NAPT, by specifying a one - to - one > mapping for each flow using iptables, does that guarantee that port > multiplexing will not be used? Is NATing more stable that NAPT? > > > Thanks, > Ajay > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- -- Pandu E Poluan - IT Optimizer My website: http://pandu.poluan.info/ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
