On 07/01/2017 04:26 PM, Robert White wrote:
So, for instance, once you DNAT the incoming packet you _don't_ want to
SNAT it.
What about hairpin NAT?
Suppose you have a port mapping from the router's public IP (2.2.2.2) to
some private IP on the LAN (10.2.2.2). Then 2.2.2.2 is published in a
rendezvous server and some other device (10.2.2.3) on the same LAN
segment learns that address and opens a connection.
Now you need the SNAT rule, otherwise the router would translate the
packet for 2.2.2.2 to 10.2.2.2 and 10.2.2.2 would send its response to
10.2.2.3. 10.2.2.3 is local so it doesn't pass through the router to be
translated back and the connection fails because 10.2.2.3 is expecting a
response from 2.2.2.2 rather than 10.2.2.2.
It would obviously be better for the applications to use the private
addresses directly but you might not be in control of that.
So you need to know the in-interface or similar because you should only
do the SNAT for hairpin if the client is internal.
The interesting question is whether that can be done without marking.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
