From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@lists.netfilter.org>
Subject: Re: IPTables and different types of NAT
Date: Wed, 07 Feb 2007 13:01:21 -0600 [thread overview]
Message-ID: <45CA2201.7040205@riverviewtech.net> (raw)
In-Reply-To: <45CA160E.90102@plouf.fr.eu.org>
Pascal Hambourg wrote:
> No. Please read more carefully the definitions of "restricted cone NAT"
> and "port restricted cone NAT". Neither can be implemented with iptables
> because they do not fit in the per-connection model.
"""With restricted cone NAT, all requests from the same internal IP
address and port are mapped to the same external IP address and port.
Unlike a full cone NAT, an external host can send a packet to the
internal host only if the internal host had previously sent a packet to
it."""
"""Port restricted cone NAT or symmetric NAT is like a restricted cone
NAT, but the restriction includes port numbers. Specifically, an
external host can send a packet to a particular port on the internal
host only if the internal host had previously sent a packet from that
port to the external host."""
The only other thing that comes to mind is that IPTables by its self
does not by default filter based on connection(s) and / or state.
However, there are match extensions that can be used to augment a basic
IPTables rule to do just that. I.e. CONNMARK in conjunction with MARK.
> "Symmetric NAT" works on a per-connection basis and is the NAT form that
> is the easiest to implement with iptables using SNAT or MASQUERADE.
I understood Symetric NAT to be a form of "one to many" or "many to
many" NATing. The key part being the "... to many" in where multiple
external IPs would be used. I know that it is possible (though I have
not done it) to specify a range to SNAT traffic with IPTables to a range
of IP addresses. I was not aware that MASQUERADE would do the same
thing. I was under the impression that MASQUERADE used the single IP on
an interface as the IP to SNAT traffic to.
Grant. . . .
next prev parent reply other threads:[~2007-02-07 19:01 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-07 15:49 IPTables and different types of NAT Pedro Gonçalves
2007-02-07 16:19 ` Grant Taylor
2007-02-07 18:10 ` Pascal Hambourg
2007-02-07 18:23 ` Pedro Gonçalves
2007-02-07 19:01 ` Grant Taylor [this message]
2007-02-08 14:47 ` Fwd: " Pedro Gonçalves
2007-02-08 15:05 ` John A. Sullivan III
[not found] ` <da3a2a260702081118h69944d01g329cf1ae2ac63298@mail.gmail.com>
[not found] ` <45CB83E0.7020305@gmail.com>
[not found] ` <da3a2a260702090827pab52a51kcf71452c85c81fb@mail.gmail.com>
2007-02-09 16:37 ` Pedro Gonçalves
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45CA2201.7040205@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=gtaylor+reply@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.