From: "Gáspár Lajos" <swifty@freemail.hu>
To: Constantine Filin <constfilin@yahoo.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Matching altered packets in NAT table...
Date: Mon, 21 Aug 2006 09:30:39 +0200 [thread overview]
Message-ID: <44E9611F.1090507@freemail.hu> (raw)
In-Reply-To: <20060821055634.13620.qmail@web30602.mail.mud.yahoo.com>
Constantine Filin wrote:
> Dear List:
>
> I am trying to solve the problem described at http://lists.netfilter.org/pipermail/netfilter/2006-August/066491.html
> (How do I make NAT table work reliably?) and for this I'd like to make sure that I understand iptables documentation
> correctly.
>
> 2 simple questions:
>
> a) If I have a rule in PREROUTING NAT table
>
> -A PREROUTING -s 204.147.182.21 -d 204.147.182.200 -p udp -m udp --sport 8000 --dport 23330 -j DNAT --to-destination 207.5.64.156:25590
>
> where 204.147.182.200 is the IP address of my host and 204.147.182.21 with 207.5.64.156 are two other hosts
> I am communicating with, then in the POSTROUTING table, should I match this packet by its *original* destination address
> or by its *new* (altered) destination address. In other words - in POSTROUTING table do I write
>
>
After this PREROUTING ==> NEW DESTINATION address.
> -A POSTROUTING -d 204.147.182.200 -p udp -m udp --dport 23330 -j SNAT --to-source 204.147.182.200:21226
> (matching by the original destination) or
> -A POSTROUTING -d 207.5.64.156 -p udp -m udp --dport 25590 -j SNAT --to-source 204.147.182.200:21226
> (matching by the altered destination)
>
>
Last one....
> ???
>
> b) If I setup iptables so that all UDP packets coming from 204.147.182.21:8000 to my 204.147.182.200:23330 are redirected to
> 207.5.64.156:25590 from my 204.147.182.200:21226), then how do these packets register in the conntrack. I can see 2 options:
>
> 204.147.182.21:8000 <=> 204.147.182.200:23330
> 204.147.182.21:8000 <=> 204.147.182.200:21226
>
> Or are there going to be 2 separate conntrack entries?
>
>
This may be helpful: (If I understand you right... :) )
iptables -t mangle -A PREROUTING -j CONNMARK -p udp -m udp -s 204.147.182.21 --sport 8000 -d 204.147.182.200 --dport 23330 --set-mark 1
iptables -t nat -A PREROUTING -j DNAT -i $IN_IF -m connmark --mark 1 --to-destination 207.5.64.156:25590
iptables -t nat -A POSTROUTING -j SNAT -o $OUT_IF -m connmark --mark 1 --to-source 204.147.182.200:21226
> ???
>
> Thank you for your insight
>
> Constantine
>
>
>
>
Swifty
prev parent reply other threads:[~2006-08-21 7:30 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-21 5:56 Matching altered packets in NAT table Constantine Filin
2006-08-21 7:30 ` Gáspár Lajos [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44E9611F.1090507@freemail.hu \
--to=swifty@freemail.hu \
--cc=constfilin@yahoo.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.