RE: SNAT: I'm going insane - Mark E. Donaldson

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Mark E. Donaldson" <markee@bandwidthco.com>
To: 'Carl Farrington' <carl@compsup.net>, netfilter@lists.netfilter.org
Subject: RE: SNAT: I'm going insane
Date: Sat, 31 Jan 2004 11:20:59 -0800	[thread overview]
Message-ID: <200401311920.i0VJKn2O019262@server5.bandwidthco.com> (raw)
In-Reply-To: <739652C2AFA4834AAB5986A215F68CEC01656A@svr1.home.compsup.net>

Why would you want to DNAT all the return packets?  Assuming the connection
was established from the inside, should not the state table handle this?
Now, if you are permitting a new connection from the outside, then you would
of course want to DANT that through to the correct host.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Carl Farrington
Sent: Saturday, January 31, 2004 11:01 AM
To: netfilter@lists.netfilter.org
Subject: RE: SNAT: I'm going insane

Sorry to hijack your discussion so to speak, but this has raised my
curiosity. Why would someone want to do this? And for it to work, presumably
you would have 206.230.187.15 DNAT everything else back to
10.2.2.2 ?

Is it a bit like doing MASQ but without the full packet-modification?

> -----Original Message-----
> From: Brian Capouch [mailto:brianc@palaver.net]
> Sent: 31 January 2004 07:05
> To: netfilter@lists.netfilter.org
> Subject: SNAT: I'm going insane
> 
> This ought to be the simplest thing in the world, and I have rules
like
> this that work.  I hope someone can see something glaringly wrong with 
> what I'm doing here:
> 
> I want to SNAT all traffic from an internal address (10.2.2.2) to an 
> external one.  So I add to my rules:
> 
> iptables -t nat -I POSTROUTING -s 10.2.2.2 -j SNAT --to-source
> 206.230.187.15
> 
> I test and my ssh traffic is passing perfectly; I go out to machines
on
> the net and they show me coming in from 206.230.187.15.
> 
> But some--BUT NOT ALL--of my UDP traffic seems to be heading out
without
> any change.
> 
> A short sniff on the *output* interface shows:
> 
> 02:31:56.696763 10.2.2.2.4569 > blah.blah.net.4569: udp 25 (DF) [tos 
> 0x10]
> 
> 02:31:58.699259 10.2.2.2.4569 > blah.blah.net.4569: udp 25 (DF) [tos 
> 0x10]
> 
> 02:32:06.704660 10.2.2.2.4569 > blah.blah.net.4569: udp 12 (DF) [tos
0x10
> 
> And the packet counters (which I reset for the test) show nothing 
> passing through:
> 
>      0     0 SNAT       all  --  *      eth1    10.2.2.2
> 0.0.0.0/0        to:206.230.187.15
> 
> UDP traffic going to port 5036, which is heading from this same
machine
> to the same remote endpoint machine, gets NATted perfectly.
> 
> ***************************************
> 
> Does anyone know what I'm doing wrong?  Other similar rules in this
same
> table seem to be doing just what they need to. . . .
> 
> Thanks in advance for anyone who might be able to offer a potential 
> explanation.
> 
> B.

next prev parent reply	other threads:[~2004-01-31 19:20 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-01-31 19:00 SNAT: I'm going insane Carl Farrington
2004-01-31 19:20 ` Mark E. Donaldson [this message]
  -- strict thread matches above, loose matches on Subject: below --
2004-01-31 19:22 Carl Farrington
2004-01-31 19:37 ` Cedric Blancher
     [not found]   ` <401C05E1.5030204@palaver.net>
2004-01-31 21:06     ` Cedric Blancher
2004-01-31  7:04 Brian Capouch
2004-01-31 17:55 ` John A. Sullivan III
2004-01-31 18:58 ` Mark E. Donaldson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200401311920.i0VJKn2O019262@server5.bandwidthco.com \
    --to=markee@bandwidthco.com \
    --cc=carl@compsup.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.