“Full cone” NAT simply means that there is no longer a strict connection tracking or enforcement of what IPs can connect back to the ports that are associated with the internal IP. Traditional NAT: - TCP connection to 1.1.1.1 from 192.168.1.10 over outside translated TCP source port 45619. All packets destined to port 45619 MUST come from 1.1.1.1. Full cone NAT: - TCP connection to 1.1.1.1 from 192.168.1.10 over outside translated TCP source port 45619. All packets destined to port 45619 are allowed from ANY IP. Another word for this behavior is “endpoint independent” NAT/filtering. > On May 16, 2023, at 4:46 AM, Kevin P. Fleming <lists.netfilter@xxxxxxxxxxxxx> wrote: > > On Tue, May 16, 2023, at 07:07, Shane Wang wrote: >> Thanks for your reply. >> I think the "--to-destination 10.0.0.1" rule will be matched, and the >> "--to-destination 10.0.0.2" rule will never be matched. >> Does iptables unsupported "full cone" NAT for multiple internal IP addresses? > > Does *any* platform support such a configuration? Based on my understanding of what 'full cone' means, every internal address needs a separate external address to be fully mapped to it. Your example shows that you have one external address, which means you can only provide 'full cone' mapping for one internal address, no matter which tool you use.
