iptables - full cone

iptables - full cone

[Hugo Miguel Mendes]

Dear all,

I'm using iptables 1.3.8, and I need to implement a full cone NAT which had to be capable of doing the following:
1. A packet is sent from a machine in the LAN from Address1:port100 to a machine in the WAN with Address3:port200, the NAT converts the local Address1:port100 to Address2:port100 which is the address assigned to the home router by the ISP. So this packet is sent with source: Address2:port100 and destination: Address3:port200.
2. The packet received by the machine in the WAN in 1) is processed and then the answer comes from a different machine with a different address but using the same ports. So the response packet is sent by Address4:port200 to Address2:port100. So this packet has source: Address4:port200 and destination: Address2:port100.
3. When the home router receives the response packet it has to ignore the sending address in the matching table, so that all traffic received in Address2:port100 is simply forward to Address1:port100. This is just a Full Cone NAT.

I have read some tutorials about iptables and the only way I have found to do this is make rule that forwards all traffic that arrives in Address2:port100 to Address1:port100. This does the work for just one machine on the LAN which has a static ip and will always contact the same machine on the WAN.
What I really want to do is implement a Full Cone NAT in which a packet sent from Address1:port100 which is translated to Address2:port100 by the NAT and goes to Address3:port200, activates port100 in the home router so that any packets arriving in port100 will be forwarded to Address1:por100. And this would just work for any number of machines.

Is there anyway of doing so in the actual iptables or I will have to add this feature to iptables?

Best Regards

Hugo Mendes

Re: iptables - full cone

[Jozsef Kadlecsik]

On Wed, 1 Apr 2009, Hugo Miguel Mendes wrote:

> I'm using iptables 1.3.8, and I need to implement a full cone NAT which had to be capable of doing the following:
> 1. A packet is sent from a machine in the LAN from Address1:port100 to a machine in the WAN with Address3:port200, the NAT converts the local Address1:port100 to Address2:port100 which is the address assigned to the home router by the ISP. So this packet is sent with source: Address2:port100 and destination: Address3:port200.
> 2. The packet received by the machine in the WAN in 1) is processed and then the answer comes from a different machine with a different address but using the same ports. So the response packet is sent by Address4:port200 to Address2:port100. So this packet has source: Address4:port200 and destination: Address2:port100.
> 3. When the home router receives the response packet it has to ignore the sending address in the matching table, so that all traffic received in Address2:port100 is simply forward to Address1:port100. This is just a Full Cone NAT.
> 
> I have read some tutorials about iptables and the only way I have found to do this is make rule that forwards all traffic that arrives in Address2:port100 to Address1:port100. This does the work for just one machine on the LAN which has a static ip and will always contact the same machine on the WAN.
> What I really want to do is implement a Full Cone NAT in which a packet sent from Address1:port100 which is translated to Address2:port100 by the NAT and goes to Address3:port200, activates port100 in the home router so that any packets arriving in port100 will be forwarded to Address1:por100. And this would just work for any number of machines.
> 
> Is there anyway of doing so in the actual iptables or I will have to add this feature to iptables?

Netfilter implements port restricted cone NAT, so you cannot create a full 
cone NAT with it. I don't think it'd be easy to add such a feature.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: iptables - full cone

[Mart Frauenlob]

netfilter-owner@vger.kernel.org wrote:
> Dear all,
>
> I'm using iptables 1.3.8, and I need to implement a full cone NAT which had to be capable of doing the following:
> 1. A packet is sent from a machine in the LAN from Address1:port100 to a machine in the WAN with Address3:port200, the NAT converts the local Address1:port100 to Address2:port100 which is the address assigned to the home router by the ISP. So this packet is sent with source: Address2:port100 and destination: Address3:port200.
> 2. The packet received by the machine in the WAN in 1) is processed and then the answer comes from a different machine with a different address but using the same ports. So the response packet is sent by Address4:port200 to Address2:port100. So this packet has source: Address4:port200 and destination: Address2:port100.
> 3. When the home router receives the response packet it has to ignore the sending address in the matching table, so that all traffic received in Address2:port100 is simply forward to Address1:port100. This is just a Full Cone NAT.
>
> I have read some tutorials about iptables and the only way I have found to do this is make rule that forwards all traffic that arrives in Address2:port100 to Address1:port100. This does the work for just one machine on the LAN which has a static ip and will always contact the same machine on the WAN.
> What I really want to do is implement a Full Cone NAT in which a packet sent from Address1:port100 which is translated to Address2:port100 by the NAT and goes to Address3:port200, activates port100 in the home router so that any packets arriving in port100 will be forwarded to Address1:por100. And this would just work for any number of machines.
>
> Is there anyway of doing so in the actual iptables or I will have to add this feature to iptables?
>
> Best Regards
>
> Hugo Mendes
>   

Just for curiosity:

sorry if I write complete nonsense, I've never ever hacked with 
libnetfilter...
This is based on the assumption, that it's possible to create conntrack 
entries from within libnetfilter, which may be completely wrong...

ok trying to figure:

Lan host A1:100 sends packet to WAN host A3:200. packet arriving at the 
router, it is sent to nfqueue.
There a conntrack entry is created, to expect the answer from WAN host 
A4:200.
The NAT to A3 is still done.
Packet goes to A3, comes back from A4:200, conntrack sees the entry we 
created in our nfqueue.
Now a rule should NAT that packet as coming from A2 (so client A1 will 
not talk back to A4).
Finally the packet gets forwarded to the client, which only sees his 
talking with A2.
The whole thing iterates again...

Is that doable? Or just waste of brain?

greets

Mart

Re: iptables - full cone

[Mart Frauenlob]

Mart Frauenlob wrote:
> netfilter-owner@vger.kernel.org wrote:
>> Dear all,
>>
>> I'm using iptables 1.3.8, and I need to implement a full cone NAT 
>> which had to be capable of doing the following:
>> 1. A packet is sent from a machine in the LAN from Address1:port100 
>> to a machine in the WAN with Address3:port200, the NAT converts the 
>> local Address1:port100 to Address2:port100 which is the address 
>> assigned to the home router by the ISP. So this packet is sent with 
>> source: Address2:port100 and destination: Address3:port200.
>> 2. The packet received by the machine in the WAN in 1) is processed 
>> and then the answer comes from a different machine with a different 
>> address but using the same ports. So the response packet is sent by 
>> Address4:port200 to Address2:port100. So this packet has source: 
>> Address4:port200 and destination: Address2:port100.
>> 3. When the home router receives the response packet it has to ignore 
>> the sending address in the matching table, so that all traffic 
>> received in Address2:port100 is simply forward to Address1:port100. 
>> This is just a Full Cone NAT.
>>
>> I have read some tutorials about iptables and the only way I have 
>> found to do this is make rule that forwards all traffic that arrives 
>> in Address2:port100 to Address1:port100. This does the work for just 
>> one machine on the LAN which has a static ip and will always contact 
>> the same machine on the WAN.
>> What I really want to do is implement a Full Cone NAT in which a 
>> packet sent from Address1:port100 which is translated to 
>> Address2:port100 by the NAT and goes to Address3:port200, activates 
>> port100 in the home router so that any packets arriving in port100 
>> will be forwarded to Address1:por100. And this would just work for 
>> any number of machines.
>>
>> Is there anyway of doing so in the actual iptables or I will have to 
>> add this feature to iptables?
>>
>> Best Regards
>>
>> Hugo Mendes
>>   
>
> Just for curiosity:
>
> sorry if I write complete nonsense, I've never ever hacked with 
> libnetfilter...
> This is based on the assumption, that it's possible to create 
> conntrack entries from within libnetfilter, which may be completely 
> wrong...
>
> ok trying to figure:
>
> Lan host A1:100 sends packet to WAN host A3:200. packet arriving at 
> the router, it is sent to nfqueue.
> There a conntrack entry is created, to expect the answer from WAN host 
> A4:200.
> The NAT to A3 is still done.
> Packet goes to A3, comes back from A4:200, conntrack sees the entry we 
> created in our nfqueue.
> Now a rule should NAT that packet as coming from A2 (so client A1 will 
> not talk back to A4).
> Finally the packet gets forwarded to the client, which only sees his 
> talking with A2.
> The whole thing iterates again...
>
should be:
Now a rule should NAT that packet as coming from A3 (so client A1 will 
not talk back to A4).
Finally the packet gets forwarded to the client, which only sees his 
talking with A3.