From: "Nikolai Dahlem" <listuser@epygi.de>
To: "Harald Welte" <laforge@netfilter.org>
Cc: <netfilter-devel@lists.netfilter.org>
Subject: RE: NAT problem with related connections
Date: Tue, 4 Nov 2003 14:41:59 +0100 [thread overview]
Message-ID: <DAELKAPIKOFAFFKELNHOCEAJCAAA.listuser@epygi.de> (raw)
In-Reply-To: <20031103153941.GF5081@sunbeam.de.gnumonks.org>
On Mon, Nov 03, 2003 at 01:28:29PM +0100, Nikolai Dahlem wrote:
>> -----Original Message-----
>> From: Harald Welte [mailto:laforge@netfilter.org]
>> Sent: Montag, 3. November 2003 12:08
>> To: Nikolai Dahlem
>> Cc: Netfilter Development Mailinglist
>> Subject: Re: NAT problem with related connections
>>
>> On Mon, Nov 03, 2003 at 11:15:40AM +0100, Nikolai Dahlem wrote:
>take the example of FTP (more common, and I already forgot most SIP
>relevant stuff):
>client: 1.2.3.4, firewall: 10.20.30.40, ftp-server: 9.9.9.9
>packet received: client -> server PORT 1,2,3,4,5,6
> - conntrack helper raises expectation 9.9.9.9:any->1.2.3.4:(5<<16 & 6)
> - nat helper alters packet payload to PORT 10,20,30,40,5,6
> - nat helper alters expectation to 9.9.9.9:any->10.20.30.40:(5<<16 & 6)
Ok, this is understood. Sorry, if I didn't describe my problem properly.
What I got is :
client 1.2.3.4, firewall: 10.20.30.40, ext. client: 9.9.9.9 (simplified, no
SIP-server)
client:INIVTE message 1.2.3.4:5000 -> ext.client
ext.client: OK message 9.9.9.9:6000 -> client
conntrack raises the correct expectations and all
client 1.2.3.4:5000 via firewall (changes sport to 1024) -> ext.client
9999:6000
ext.client 9.9.9.9:6000 via firewall -> client 1.2.3.4:5000
connection tracking doesn't see a connection, because the firewall changed
the sport to 1024,
but ext.client is answering to 6000.
So what do you think of raising the expectation after the INVITE packet,
instead of after the OK packet.
This way I'd be able to rewrite to the correct port, but at this moment
there is no info about the ext.client,
so what should I enter in the expect-tuple ?
kind regards
Nikolai Dahlem
next prev parent reply other threads:[~2003-11-04 13:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-30 10:31 NAT problem with related connections Nikolai Dahlem
2003-11-03 7:48 ` Harald Welte
[not found] ` <DAELKAPIKOFAFFKELNHOCEAICAAA.Nikolai.Dahlem@epygi.de>
2003-11-03 11:08 ` Harald Welte
[not found] ` <DAELKAPIKOFAFFKELNHOGEAICAAA.Nikolai.Dahlem@epygi.de>
2003-11-03 15:39 ` Harald Welte
2003-11-04 13:41 ` Nikolai Dahlem [this message]
2003-11-04 15:44 ` Harald Welte
2003-11-03 11:12 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DAELKAPIKOFAFFKELNHOCEAJCAAA.listuser@epygi.de \
--to=listuser@epygi.de \
--cc=laforge@netfilter.org \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.