* IPTables and different types of NAT @ 2007-02-07 15:49 Pedro Gonçalves 2007-02-07 16:19 ` Grant Taylor 0 siblings, 1 reply; 8+ messages in thread From: Pedro Gonçalves @ 2007-02-07 15:49 UTC (permalink / raw) To: netfilter Hi I want to know if it is possible to use IPTables to implement -Full Cone NAT -Restricted Cone NAT -Port Restricted Cone NAT -Symmetric NAT If so, where can I find information about how to implement each type of NAT? Regards Pedro ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: IPTables and different types of NAT 2007-02-07 15:49 IPTables and different types of NAT Pedro Gonçalves @ 2007-02-07 16:19 ` Grant Taylor 2007-02-07 18:10 ` Pascal Hambourg 0 siblings, 1 reply; 8+ messages in thread From: Grant Taylor @ 2007-02-07 16:19 UTC (permalink / raw) To: Mail List - Netfilter Pedro Gonçalves wrote: > I want to know if it is possible to use IPTables to implement > -Full Cone NAT > -Restricted Cone NAT > -Port Restricted Cone NAT > -Symmetric NAT I see no reason why it would not be possible. However, such distinctions are usually not made. The ""default (if you will) NAT that is used on most SOHO Linux routers would be considered "Restricted Cone NAT" in such as external hosts can not connect to internal hosts unless the internal host has contacted the external host first. "Full Cone Nat" could easily be implemented with inbound redirection to the internal system. "Port Restricted Cone NAT" is nothing more than "Restricted Cone NAT" with port filtering. This is what is usually done if you have a server behind a NATing router / firewall. In this case, you only port forward the ports that you need. I'm not sure if there is inherent support for "Symmetric NAT" or not. I'm sure that support could be added for this if it does not exist. > If so, where can I find information about how to implement each type of > NAT? I just did a quick Google for what the various types of NAT mean and ran across this: http://en.wikipedia.org/wiki/Network_address_translation As far as information on how to do it, all but "Symmetric NAT" can be very simply done with basic IPTables SOHO style NATing. Grant. . . . ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: IPTables and different types of NAT 2007-02-07 16:19 ` Grant Taylor @ 2007-02-07 18:10 ` Pascal Hambourg 2007-02-07 18:23 ` Pedro Gonçalves 2007-02-07 19:01 ` Grant Taylor 0 siblings, 2 replies; 8+ messages in thread From: Pascal Hambourg @ 2007-02-07 18:10 UTC (permalink / raw) To: Mail List - Netfilter Hello, Grant Taylor a écrit : > Pedro Gonçalves wrote: > >> I want to know if it is possible to use IPTables to implement >> -Full Cone NAT >> -Restricted Cone NAT >> -Port Restricted Cone NAT >> -Symmetric NAT > > I see no reason why it would not be possible. The reason is Netfilter/iptables performs UDP NAT on a per-connection basis (connection = source address, source port, destination address, destination port). > "Full Cone Nat" could easily be implemented with inbound redirection to > the internal system. "Full cone NAT" can be implemented with 1-to-1 bidirectional NAT using SNAT+DNAT or NETMAP. > "Port Restricted Cone NAT" is nothing more than "Restricted Cone NAT" > with port filtering. This is what is usually done if you have a server > behind a NATing router / firewall. In this case, you only port forward > the ports that you need. No. Please read more carefully the definitions of "restricted cone NAT" and "port restricted cone NAT". Neither can be implemented with iptables because they do not fit in the per-connection model. > I'm not sure if there is inherent support for "Symmetric NAT" or not. "Symmetric NAT" works on a per-connection basis and is the NAT form that is the easiest to implement with iptables using SNAT or MASQUERADE. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: IPTables and different types of NAT 2007-02-07 18:10 ` Pascal Hambourg @ 2007-02-07 18:23 ` Pedro Gonçalves 2007-02-07 19:01 ` Grant Taylor 1 sibling, 0 replies; 8+ messages in thread From: Pedro Gonçalves @ 2007-02-07 18:23 UTC (permalink / raw) To: Pascal Hambourg; +Cc: Mail List - Netfilter Pascal Hambourg wrote: >> "Full Cone Nat" could easily be implemented with inbound redirection >> to the internal system. > > "Full cone NAT" can be implemented with 1-to-1 bidirectional NAT using > SNAT+DNAT or NETMAP. > >> "Port Restricted Cone NAT" is nothing more than "Restricted Cone NAT" >> with port filtering. This is what is usually done if you have a >> server behind a NATing router / firewall. In this case, you only >> port forward the ports that you need. > > No. Please read more carefully the definitions of "restricted cone > NAT" and "port restricted cone NAT". Neither can be implemented with > iptables because they do not fit in the per-connection model. > >> I'm not sure if there is inherent support for "Symmetric NAT" or not. > > "Symmetric NAT" works on a per-connection basis and is the NAT form > that is the easiest to implement with iptables using SNAT or MASQUERADE. This is the main reason why I am asking: some people say it is possible to implement all this types of NAT, some say it's not. Pascal, can you tell me where can I find information regarding the implementation of "Full Cone NAT" and "Symmetric NAT" using IPTables? All I can find is discussions about whether it is possible or not to implement this. Thanks a lot Pedro ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: IPTables and different types of NAT 2007-02-07 18:10 ` Pascal Hambourg 2007-02-07 18:23 ` Pedro Gonçalves @ 2007-02-07 19:01 ` Grant Taylor 2007-02-08 14:47 ` Fwd: " Pedro Gonçalves 1 sibling, 1 reply; 8+ messages in thread From: Grant Taylor @ 2007-02-07 19:01 UTC (permalink / raw) To: Mail List - Netfilter Pascal Hambourg wrote: > No. Please read more carefully the definitions of "restricted cone NAT" > and "port restricted cone NAT". Neither can be implemented with iptables > because they do not fit in the per-connection model. """With restricted cone NAT, all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host can send a packet to the internal host only if the internal host had previously sent a packet to it.""" """Port restricted cone NAT or symmetric NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet to a particular port on the internal host only if the internal host had previously sent a packet from that port to the external host.""" The only other thing that comes to mind is that IPTables by its self does not by default filter based on connection(s) and / or state. However, there are match extensions that can be used to augment a basic IPTables rule to do just that. I.e. CONNMARK in conjunction with MARK. > "Symmetric NAT" works on a per-connection basis and is the NAT form that > is the easiest to implement with iptables using SNAT or MASQUERADE. I understood Symetric NAT to be a form of "one to many" or "many to many" NATing. The key part being the "... to many" in where multiple external IPs would be used. I know that it is possible (though I have not done it) to specify a range to SNAT traffic with IPTables to a range of IP addresses. I was not aware that MASQUERADE would do the same thing. I was under the impression that MASQUERADE used the single IP on an interface as the IP to SNAT traffic to. Grant. . . . ^ permalink raw reply [flat|nested] 8+ messages in thread
* Fwd: IPTables and different types of NAT 2007-02-07 19:01 ` Grant Taylor @ 2007-02-08 14:47 ` Pedro Gonçalves 2007-02-08 15:05 ` John A. Sullivan III [not found] ` <da3a2a260702081118h69944d01g329cf1ae2ac63298@mail.gmail.com> 0 siblings, 2 replies; 8+ messages in thread From: Pedro Gonçalves @ 2007-02-08 14:47 UTC (permalink / raw) To: netfilter I still don't have a clear answer whether it is possible or not to implement all types of NAT. So, has anyone implemented *any* kind of NAT? If so, how have you done? Best Regards Pedro ---------- Forwarded message ---------- From: *Grant Taylor* <gtaylor@riverviewtech.net <mailto:gtaylor@riverviewtech.net>> Date: Feb 7, 2007 7:01 PM Subject: Re: IPTables and different types of NAT To: Mail List - Netfilter <netfilter@lists.netfilter.org <mailto:netfilter@lists.netfilter.org>> Pascal Hambourg wrote: > No. Please read more carefully the definitions of "restricted cone NAT" > and "port restricted cone NAT". Neither can be implemented with iptables > because they do not fit in the per-connection model. """With restricted cone NAT, all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host can send a packet to the internal host only if the internal host had previously sent a packet to it.""" """Port restricted cone NAT or symmetric NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet to a particular port on the internal host only if the internal host had previously sent a packet from that port to the external host.""" The only other thing that comes to mind is that IPTables by its self does not by default filter based on connection(s) and / or state. However, there are match extensions that can be used to augment a basic IPTables rule to do just that. I.e. CONNMARK in conjunction with MARK. > "Symmetric NAT" works on a per-connection basis and is the NAT form that > is the easiest to implement with iptables using SNAT or MASQUERADE. I understood Symetric NAT to be a form of "one to many" or "many to many" NATing. The key part being the "... to many" in where multiple external IPs would be used. I know that it is possible (though I have not done it) to specify a range to SNAT traffic with IPTables to a range of IP addresses. I was not aware that MASQUERADE would do the same thing. I was under the impression that MASQUERADE used the single IP on an interface as the IP to SNAT traffic to. Grant. . . . ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Fwd: IPTables and different types of NAT 2007-02-08 14:47 ` Fwd: " Pedro Gonçalves @ 2007-02-08 15:05 ` John A. Sullivan III [not found] ` <da3a2a260702081118h69944d01g329cf1ae2ac63298@mail.gmail.com> 1 sibling, 0 replies; 8+ messages in thread From: John A. Sullivan III @ 2007-02-08 15:05 UTC (permalink / raw) To: Pedro Gonçalves; +Cc: netfilter When we started automating the creation of NAT rules in the ISCS open source network security management framework (http://iscs.sourceforge.net), we were quickly amazed at how complicated it is once one steps away from the most basic forms. Ultimately, we did automate the creation of SNAT, DNAT and NETMAP rules for one-to-one, many-to-one, one-to-many, some-to-many, many-to-some, overlapping and nested NAT using something we called the "sliding marble" algorithm. We did separate access control from NAT so that we could preserve the highly granular and modular access control rules created by ISCS and simply integrate it with NAT. It was a daunting task that set us back three months but it all works. The algorithms and logic are all in the development docs in the ISCS CVS or, if you just want the end result, that part of ISCS is fully functional and ready for at least beta use. So, yes, we have done some very complicated NAT setups but have also separated access control from NAT - John On Thu, 2007-02-08 at 14:47 +0000, Pedro Gonçalves wrote: > I still don't have a clear answer whether it is possible or not to > implement all types of NAT. > > So, has anyone implemented *any* kind of NAT? > If so, how have you done? > > Best Regards > Pedro > > > ---------- Forwarded message ---------- > From: *Grant Taylor* <gtaylor@riverviewtech.net > <mailto:gtaylor@riverviewtech.net>> > Date: Feb 7, 2007 7:01 PM > Subject: Re: IPTables and different types of NAT > To: Mail List - Netfilter <netfilter@lists.netfilter.org > <mailto:netfilter@lists.netfilter.org>> > > Pascal Hambourg wrote: > > No. Please read more carefully the definitions of "restricted cone NAT" > > and "port restricted cone NAT". Neither can be implemented with iptables > > because they do not fit in the per-connection model. > > """With restricted cone NAT, all requests from the same internal IP > address and port are mapped to the same external IP address and port. > Unlike a full cone NAT, an external host can send a packet to the > internal host only if the internal host had previously sent a packet to > it.""" > > """Port restricted cone NAT or symmetric NAT is like a restricted cone > NAT, but the restriction includes port numbers. Specifically, an > external host can send a packet to a particular port on the internal > host only if the internal host had previously sent a packet from that > port to the external host.""" > > The only other thing that comes to mind is that IPTables by its self > does not by default filter based on connection(s) and / or state. > However, there are match extensions that can be used to augment a basic > IPTables rule to do just that. I.e. CONNMARK in conjunction with MARK. > > > "Symmetric NAT" works on a per-connection basis and is the NAT form that > > is the easiest to implement with iptables using SNAT or MASQUERADE. > > I understood Symetric NAT to be a form of "one to many" or "many to > many" NATing. The key part being the "... to many" in where multiple > external IPs would be used. I know that it is possible (though I have > not done it) to specify a range to SNAT traffic with IPTables to a range > of IP addresses. I was not aware that MASQUERADE would do the same > thing. I was under the impression that MASQUERADE used the single IP on > an interface as the IP to SNAT traffic to. > > > > Grant. . . . > -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com Financially sustainable open source development http://www.opensourcedevel.com ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <da3a2a260702081118h69944d01g329cf1ae2ac63298@mail.gmail.com>]
[parent not found: <45CB83E0.7020305@gmail.com>]
[parent not found: <da3a2a260702090827pab52a51kcf71452c85c81fb@mail.gmail.com>]
* Re: IPTables and different types of NAT [not found] ` <da3a2a260702090827pab52a51kcf71452c85c81fb@mail.gmail.com> @ 2007-02-09 16:37 ` Pedro Gonçalves 0 siblings, 0 replies; 8+ messages in thread From: Pedro Gonçalves @ 2007-02-09 16:37 UTC (permalink / raw) To: James Shewey, Mail List - Netfilter James Shewey wrote: > IPtables is capable of doing both types of nat listed on wikipedia > using snat, dnat and masqueradeing. I implemented both at one point or > another. OK, but did you did it by yourself or did you get some information from some resource? I think that someone must already implemented the types of NAT I need: -Full Cone NAT -Restricted Cone NAT -Port Restricted Cone NAT -Symmetric NAT I just don't want to re-invent the wheel, that's why I'm asking if somebody is willing to share IPTables rules which implement the kinds of NAT mentioned above Best regards Pedro ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2007-02-09 16:37 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-02-07 15:49 IPTables and different types of NAT Pedro Gonçalves
2007-02-07 16:19 ` Grant Taylor
2007-02-07 18:10 ` Pascal Hambourg
2007-02-07 18:23 ` Pedro Gonçalves
2007-02-07 19:01 ` Grant Taylor
2007-02-08 14:47 ` Fwd: " Pedro Gonçalves
2007-02-08 15:05 ` John A. Sullivan III
[not found] ` <da3a2a260702081118h69944d01g329cf1ae2ac63298@mail.gmail.com>
[not found] ` <45CB83E0.7020305@gmail.com>
[not found] ` <da3a2a260702090827pab52a51kcf71452c85c81fb@mail.gmail.com>
2007-02-09 16:37 ` Pedro Gonçalves
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.