From: "Jesse Gordon" <jesseg@nikola.com>
To: Philip Craig <philipc@snapgear.com>,
Nikolai Georgiev <voyager123bg@gmail.com>,
netfilter@lists.netfilter.org
Subject: Re: Unmatchable packet?
Date: Tue, 22 Nov 2005 23:03:06 -0800 [thread overview]
Message-ID: <WorldClient-F200511222303.AA03060138@nikola.com> (raw)
In-Reply-To: <4384069F.3010201@snapgear.com>
-----Original Message-----
From: Philip Craig <philipc@snapgear.com>
Subject: Re: Unmatchable packet?
> On 11/23/2005 11:46 AM, Jesse Gordon wrote:
> > I actually want to rewrite the source IP of TCP packets that exit a given
> > ethernet card -- even (especially) if they are generated as responses
> > to incoming connections to the box.
[Snip]
> You can't do this with iptables. NAT rules only match the first packet
> of a connection, and the NAT mapping that is determined for that first
> packet is applied to all subsequent packets in that connection.
>
> Futhermore, it doesn't make sense to do this. The client will receive
> packets from your arbitarily assigned source address, but will not know
> what to do with them since it never sent any packets to that address,
> and so it will just drop them.
Ahh, thanks! Can't be done. That explains my lack of success!
I agree -- to do as my little example showed would be useless -- but my
real goal is to route the reply traffic via a different route than the
request traffic -- I already got it to send the replies out a different
network interface then the requests came in, but I haven't yet figured out
how to rewrite the source address of the replies.
I only simplified the example so that no other unneeded data would
obfusticate what I was saying.
By using a second box with iptables as an inbetween gateway, or with proxy
arp filtering or ethernet bridging, I could probably do exactly what I
want. Perhaps I'll see what ebtables can do for me.
I don't quite understand why iptables wouldn't be able to match just any
packet going into or out of any given network card, regardless of whether
it was related to any other packet or not.
I may be a little confused. It seems to me that my experiments showed that
the act of permitting a certain packet criteria to exit a specified
ethernet port does not inherently permit the responses for that connection
back in. It seems to me that I had to either tell it to allow related in,
or specifically allow the replies back. I'll check into it more.
Thanks very much!
-Jesse Gordon
next prev parent reply other threads:[~2005-11-23 7:03 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-22 20:58 Unmatchable packet? Jesse Gordon
2005-11-22 21:28 ` Jesse Gordon
2005-11-23 0:46 ` Nikolai Georgiev
2005-11-23 1:46 ` Jesse Gordon
2005-11-23 6:05 ` Philip Craig
2005-11-23 7:03 ` Jesse Gordon [this message]
2005-11-23 7:19 ` Philip Craig
2005-11-24 11:48 ` Jesse Gordon
2005-11-24 14:29 ` Robert Nichols
2005-11-25 1:11 ` Philip Craig
2005-11-28 19:11 ` Jesse Gordon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=WorldClient-F200511222303.AA03060138@nikola.com \
--to=jesseg@nikola.com \
--cc=netfilter@lists.netfilter.org \
--cc=philipc@snapgear.com \
--cc=voyager123bg@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.