From: Toby Bradshaw <Toby.Bradshaw@ideaworkslabs.com>
To: netfilter@vger.kernel.org
Subject: Correctly classifying iptables NAT beahaviour...
Date: Tue, 06 Oct 2009 14:00:52 +0100 [thread overview]
Message-ID: <4ACB3F84.1090107@ideaworkslabs.com> (raw)
That old chesnut.
I notice that the default iptables MASQ and SNAT behaviour appears to be
an odd hybrid of both port restricted and symmetric NATs. As long as the
host behind the iptables NAT is the first sender then the external
firewall port becomes open and packets sent from in reply from the right
ip:port will pass through the firewall. This is classic port restricted
behaviour. However, if a packet is sent first from an external host to
the ip:port address that would have been used by an internal host then
when the internal host attempts to send to the same external host it's
port becomes changed on the way through NAT (usually to 1024 in my
experience). This is classic symmetric behaviour.
More succinctly:
Two hosts, A and B where A=IPa:PORTa, B=IPb:PORTb. A is behind an
iptables NAT. B is, for all intents, open.
If A sends to B first then B can reply to A.
If B sends to A first then B will get ICMP port unreachable. If A now
sends to B within a short space of time the port on packets form A will
be changed (A=IPa:PORTx). If B were to be behind a port restricted NAT
then A would receive ICMP port unreachable since B was sending to IPa:PORTa.
Can anyone confirm that this in fact the intended, correct behaviour and
that I haven't got some part of my setup wrong ?
I'm in the middle of writing a NAT traversal library and would have
liked to use iptables to model the typical consumer router gateway. This
is a multiplayer game application.
The problem that this behaviour presents to me is that anything behind a
this NAT will report itself as behind a port restricted NAT when in
practice it's actually behind a symmetric NAT. With the increasing
popularity of iptables based gateway routers in domestic setups this is
a real problem to anyone implementing NAT traversal. If I could detect
that a host is behind such a NAT I can arrange for it to always send the
first packet. If I can't then it's likely I'll never be able to reliably
make a connection to it.
So.. my questions are:
Is it at all possible to at least get pure port restricted behaviour
from iptables? i.e. Regardless of who sends the first packet if the host
behind the NAT sends to ip:port then ip:port will be guaranteed to be
able to reply.
Does anyone have any knowledge of an alternative traversal technique
that does not involve a relay that might be able to form a connection
under these conditions.
Thanks in advance,
--
t o b e
London, UK.
next reply other threads:[~2009-10-06 13:00 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-06 13:00 Toby Bradshaw [this message]
2009-10-06 14:01 ` Correctly classifying iptables NAT beahaviour Thomas Jacob
2009-10-07 10:26 ` Jozsef Kadlecsik
2009-10-07 11:21 ` Thomas Jacob
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ACB3F84.1090107@ideaworkslabs.com \
--to=toby.bradshaw@ideaworkslabs.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.