From: Tish Best <tish.best@wichita.edu>
To: netfilter@lists.netfilter.org
Subject: Explanation Needed for connection tracking with NAT One-Way
Date: Wed, 09 Jun 2004 20:51:02 -0500 [thread overview]
Message-ID: <40C7AA91@webmail.wichita.edu> (raw)
I am trying to test some research ideas and am not able to perform NAT
translation on incoming packets only. I am trying to explain why, and am
looking for a confirmation (or correction) of what I think is happening. I
have two Routers (B and C) in my network. I am trying to send packets directly
from A to D through B, but route the replies through C and B using NAT
translation.
D
/ \
/ \
A --- B ---- C
The gateway route of Host D is to Router C. Router C has the following
iptables entries in the NAT PREROUTING and NAT POSTROUTING table.
iptables -t nat -A PREROUTING -s D -d A -j DNAT --to B
iptables -t nat -A POSTROUTING -s D -d B -j SNAT --to C
Router B has the following entries in its iptables NAT PREROUTING and
POSTROUTING tables.
iptables -t nat -A PREROUTING -s C -d B -j LOG
iptables -t nat -A PREROUTING -s C -d B -j DNAT --to A
iptables -t nat -A POSTROUTING -s C -d A -j LOG
iptables -t nat -A POSTROUTING -s C -d A -j SNAT --to D
I am able to see the first TCP SYN packet travel from A through B to D. At
this point Router B has an ip_conntrack entry from A to D. I then see the
reply travel from D to C. C successfully performs NAT translation, and the
packet is sent to Router B with a source of C and a destination of B. I added
logging to the iptables entries in Router B, and I see the packet get
translated in both the PREROUTING and the POSTROUTING tables, but the packet
is never sent. I never see a new conntrack entry for this packet.
I think that Router B is dropping the packet through connection tracking since
it cannot add a new conntrack entry for this packet because it already has an
entry for packets from A to D that do not require NAT translation. If it added
a new entry, then it would not know whether to translate the next packet from
A to D or send it directly to D.
Is this analysis correct? Is there anyway to send packets directly to D and
router them back to A through C and B using NAT translation the way I have
described using iptables or otherwise? Any explanation on what criteria
connection tracking uses to drop packets in this case would be a great help.
Thanks,
Tish Best
reply other threads:[~2004-06-10 1:51 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40C7AA91@webmail.wichita.edu \
--to=tish.best@wichita.edu \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.