NAT only - No connection tracking

NAT only - No connection tracking

[Jet (jchan@trusecure.com)]

Hi all,

How can I make my iptable to do just NAT, no connection tracking?

No matter how hard I tried to configure netfilter to load only iptable_nat,
it will load ip_conntrack too.

Basically, I want to make my iptable to become a NAT device without stateful
inspection.
It this possible?

.//Jet

NAT only - No connection tracking

[Jet]

Hi all,

How can I make my iptable to do just NAT, no connection tracking?

No matter how hard I tried to configure netfilter to load only iptable_nat,
it will load ip_conntrack too.

Basically, I want to make my iptable to become a NAT device without stateful
inspection.
It this possible?

.//Jet

Re: NAT only - No connection tracking

[Antony Stone]

On Monday 11 November 2002 10:56 am, yenjet.chan@eglobal.com.my wrote:

> Hi all,
>
> How can I make my iptable to do just NAT, no connection tracking?

Yes - just don't compile connection tracking support in, and don't try to use 
the -m state match.

> No matter how hard I tried to configure netfilter to load only iptable_nat,
> it will load ip_conntrack too.

I suggest you recompile the kernel without building the conntrack module.

> Basically, I want to make my iptable to become a NAT device without
> stateful inspection.

You do realise that your NAT rules will become a lot more complicated because 
of this, don't you ?

Antony.

-- 

Having been asked to provide a reference for this man,
I can confidently state that you will be very lucky indeed
if you can get him to work for you.

Re: NAT only - No connection tracking

[Brad Chapman]

--- Jet <yenjet.chan@eglobal.com.my> wrote:
> Hi all,
> 
> How can I make my iptable to do just NAT, no connection tracking?
> 
> No matter how hard I tried to configure netfilter to load only iptable_nat,
> it will load ip_conntrack too.
> 
> Basically, I want to make my iptable to become a NAT device without stateful
> inspection.
> It this possible?

No.

> 
> .//Jet
> 
> 

Brad

=====
Brad Chapman

Permanent e-mail: kakadu_croc@yahoo.com

__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2

Re: NAT only - No connection tracking

[Antony Stone]

On Monday 11 November 2002 11:34 am, Brad Chapman wrote:

> > How can I make my iptable to do just NAT, no connection tracking?
> >
> > Basically, I want to make my iptable to become a NAT device without
> > stateful inspection.
> > It this possible?
>
> No.

Hi Brad - long time no hear...

Why do you think this is not possible ?

Antony.

-- 

What is this talk of software 'release' ?
Our software evolves and matures until it becomes capable of escape,
leaving a bloody trail of designers and quality assurance people in its wake.

Re: NAT only - No connection tracking

[Brad Chapman]

Mr. Antony,

--- Antony Stone <Antony@Soft-Solutions.co.uk> wrote:
> On Monday 11 November 2002 11:34 am, Brad Chapman wrote:
> 
> > > How can I make my iptable to do just NAT, no connection tracking?
> > >
> > > Basically, I want to make my iptable to become a NAT device without
> > > stateful inspection.
> > > It this possible?
> >
> > No.
> 
> Hi Brad - long time no hear...

When you don't have all day to bathe your retina in EM radiation, then your presence
sometimes decreases ;)

> 
> Why do you think this is not possible ?

Sorry for being so short, I was busy.

Basically, if this person wants to do NAT, he has to do connection tracking as well.
LYSB, he doesn't have to run ctrack without NAT, but without ctrack the current
implementation of NAT in netfilter won't work. If there are other stateless NAT
kernel implementations available that attach to netfilter, then I am currently
unaware of them.

> 
> Antony.

Brad

> 
> -- 
> 
> What is this talk of software 'release' ?
> Our software evolves and matures until it becomes capable of escape,
> leaving a bloody trail of designers and quality assurance people in its wake.
> 


=====
Brad Chapman

Permanent e-mail: kakadu_croc@yahoo.com

__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2

Re: NAT only - No connection tracking

[Antony Stone]

On Monday 11 November 2002 11:06 am, Antony Stone wrote:

> On Monday 11 November 2002 10:56 am, yenjet.chan@eglobal.com.my wrote:
> > Hi all,
> >
> > How can I make my iptable to do just NAT, no connection tracking?
>
> Yes - just don't compile connection tracking support in, and don't try to
> use the -m state match.

I was wrong.   I forgot that when you compile the kernel, the netfilter 
options start with "Connection tracking (required for NAT) ?"

Therefore you are correct, you cannot do NAT without connection tracking.

Sorry for the misleading (nay, incorrect !) advice earlier....

Antony.

-- 

The difference between theory and practice is that
in theory there is no difference, whereas in practice there is.

Re: NAT only - No connection tracking

[Ben Russo]

On Mon, 2002-11-11 at 14:21, Brad Chapman wrote:
> Mr. Antony,
> 
> --- Antony Stone <Antony@Soft-Solutions.co.uk> wrote:
> > On Monday 11 November 2002 11:34 am, Brad Chapman wrote:
> > 
> > > > How can I make my iptable to do just NAT, no connection tracking?
> > > >
> > > > Basically, I want to make my iptable to become a NAT device without
> > > > stateful inspection.
> > > > It this possible?
> > >
If you don't want connection tracking but want NAT just use the old
ipchains instead of iptables.

-Ben.

Re: NAT only - No connection tracking

[Filip Sneppe]

On Mon, 2002-11-11 at 20:21, Brad Chapman wrote:
> 
> Basically, if this person wants to do NAT, he has to do connection tracking as well.
> LYSB, he doesn't have to run ctrack without NAT, but without ctrack the current
> implementation of NAT in netfilter won't work. If there are other stateless NAT
> kernel implementations available that attach to netfilter, then I am currently
> unaware of them.
> 
Hi Brad & Antony,

There is one other way to do NAT without connection tracking - this is
even possible on 2.2 kernels. There is some NAT functionality in the
routing code (policy routing, advanced routing).

This is a form of NAT where only the IP addresses in the IP header
are changed, no data inside the packet payload is inspected or changed.
Also, there is no automatic retranslation of return packets, like with
iptables.

The syntax is a little different and takes some time to get used to;
basically you get something like this:

ip rule add from 192.168.1.32/27 nat 10.1.1.32 prio 14000
ip route add nat 10.1.1.32/27 via 192.168.1.32

to set up NAT rules.

For more info, see the iproute documentations. I can also recommend
the book "Policy Routing with Linux" by Matthew G. Marsh, who is also
a contributor on this list.

The book is being released online at http://www.policyrouting.org/,
but is definately worth the buy.

Regards,
Filip

Re: NAT only - No connection tracking

[Brad Chapman]

Mr. Filip,

--- Filip Sneppe <filip.sneppe@cronos.be> wrote:
> On Mon, 2002-11-11 at 20:21, Brad Chapman wrote:
> > 
> > Basically, if this person wants to do NAT, he has to do connection tracking as
> well.
> > LYSB, he doesn't have to run ctrack without NAT, but without ctrack the current
> > implementation of NAT in netfilter won't work. If there are other stateless NAT
> > kernel implementations available that attach to netfilter, then I am currently
> > unaware of them.
> > 
> Hi Brad & Antony,
> 
> There is one other way to do NAT without connection tracking - this is
> even possible on 2.2 kernels. There is some NAT functionality in the
> routing code (policy routing, advanced routing).
> 
> This is a form of NAT where only the IP addresses in the IP header
> are changed, no data inside the packet payload is inspected or changed.
> Also, there is no automatic retranslation of return packets, like with
> iptables.

*thunk*

Duh! I had forgotten about that, having never used it. Good call. Maybe the original
poster will be interested in this.

> 
> The syntax is a little different and takes some time to get used to;
> basically you get something like this:
> 
> ip rule add from 192.168.1.32/27 nat 10.1.1.32 prio 14000
> ip route add nat 10.1.1.32/27 via 192.168.1.32
> 
> to set up NAT rules.
> 
> For more info, see the iproute documentations. I can also recommend
> the book "Policy Routing with Linux" by Matthew G. Marsh, who is also
> a contributor on this list.
> 
> The book is being released online at http://www.policyrouting.org/,
> but is definately worth the buy.

> 
> Regards,
> Filip
> 

Brad


=====
Brad Chapman

Permanent e-mail: kakadu_croc@yahoo.com

__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2

Re: NAT only - No connection tracking

[Jet]

Thanks for all the reply.

I'm now looking at http://www.policyrouting.org/ and might plan to buy a
copy of it.

Thanks again everyone here for such a good help.

.//Jet

----- Original Message -----
From: "Filip Sneppe" <filip.sneppe@cronos.be>
To: "Brad Chapman" <kakadu_croc@yahoo.com>
Cc: "Antony Stone" <Antony@Soft-Solutions.co.uk>;
<netfilter@lists.netfilter.org>
Sent: Tuesday, November 12, 2002 7:14 PM
Subject: Re: NAT only - No connection tracking



>>
> The book is being released online at http://www.policyrouting.org/,
> but is definately worth the buy.
>
> Regards,
> Filip
>
>