Re: NAT on stateless firewall ?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@lists.netfilter.org
Subject: Re: NAT on stateless firewall ?
Date: Fri, 03 Aug 2007 11:55:35 +0200	[thread overview]
Message-ID: <46B2FB97.3090605@plouf.fr.eu.org> (raw)
In-Reply-To: <46B26400.7050504@andrei.myip.org>

Hello,

Florin Andrei a écrit :
[...]
> Since HTTP is the only thing traversing the firewall,

Really ? No ICMP error messages, no outgoing DNS queries ?

> The problem is, NAT seems to imply stateful filtering. The moment I 
> start playing with the nat table, the ip_conntrack module gets loaded.

Iptables NAT is stateful by design and requires the connection tracking. 
However it does not imply stateful filtering, i.e. the use of connection 
tracking matches such as 'state' or 'conntrack' in filtering rules.

> Is there a way to do NAT on a true stateless firewall? (no conntrack 
> loaded)

There used to be a stateless NAT implemented in routing code of old 
kernels enabled by the option CONFIG_IP_ROUTE_NAT. It could be set up 
with 'ip rule' and 'ip route' commands. But it was considered broken and 
has been removed since version 2.6.9. However it is still present in 
recent 2.4 kernels.

> If the answer to the previous q is negative, can I just ignore conntrack 
> and build the filter and nat tables as if conntrack would not exist?

Yes, of course. But keep in mind that iptables NAT is stateful by design.

> I stumbled upon "-t raw" and I'm testing it, looks like it does what I need.

If you mean using the NOTRACK target, this is a bad idea. Packets in the 
UNTRACKED state will be ignored by the connection tracking *and* thus by 
the stateful NAT which depends on it.

next prev parent reply	other threads:[~2007-08-03  9:55 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-08-02 23:08 NAT on stateless firewall ? Florin Andrei
2007-08-03  1:49 ` Gregory Carter
2007-08-03  3:30 ` Florin Andrei
2007-08-03  4:10   ` Grant Taylor
2007-08-03  9:55 ` Pascal Hambourg [this message]
2007-08-03 18:23   ` Florin Andrei
2007-08-03 19:11     ` Florin Andrei
2007-08-03 19:15       ` Martijn Lievaart
2007-08-03 19:56         ` Florin Andrei
2007-08-03 20:37           ` Martijn Lievaart
2007-08-03 20:51           ` Grant Taylor
2007-08-05 20:16             ` Martijn Lievaart
2007-08-06  1:04               ` Grant Taylor
2007-08-06  5:01                 ` Martijn Lievaart
2007-08-06 14:11                   ` Grant Taylor
2007-08-03 19:23       ` Grant Taylor
2007-08-03 19:53       ` Pascal Hambourg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=46B2FB97.3090605@plouf.fr.eu.org \
    --to=pascal.mail@plouf.fr.eu.org \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.