From: Filip Sneppe <filip.sneppe@cronos.be>
To: Brad Chapman <kakadu_croc@yahoo.com>
Cc: Antony Stone <Antony@Soft-Solutions.co.uk>,
netfilter@lists.netfilter.org
Subject: Re: NAT only - No connection tracking
Date: 12 Nov 2002 12:14:36 +0100 [thread overview]
Message-ID: <1037099676.12587.8.camel@hope> (raw)
In-Reply-To: <20021111192103.14755.qmail@web40910.mail.yahoo.com>
On Mon, 2002-11-11 at 20:21, Brad Chapman wrote:
>
> Basically, if this person wants to do NAT, he has to do connection tracking as well.
> LYSB, he doesn't have to run ctrack without NAT, but without ctrack the current
> implementation of NAT in netfilter won't work. If there are other stateless NAT
> kernel implementations available that attach to netfilter, then I am currently
> unaware of them.
>
Hi Brad & Antony,
There is one other way to do NAT without connection tracking - this is
even possible on 2.2 kernels. There is some NAT functionality in the
routing code (policy routing, advanced routing).
This is a form of NAT where only the IP addresses in the IP header
are changed, no data inside the packet payload is inspected or changed.
Also, there is no automatic retranslation of return packets, like with
iptables.
The syntax is a little different and takes some time to get used to;
basically you get something like this:
ip rule add from 192.168.1.32/27 nat 10.1.1.32 prio 14000
ip route add nat 10.1.1.32/27 via 192.168.1.32
to set up NAT rules.
For more info, see the iproute documentations. I can also recommend
the book "Policy Routing with Linux" by Matthew G. Marsh, who is also
a contributor on this list.
The book is being released online at http://www.policyrouting.org/,
but is definately worth the buy.
Regards,
Filip
next prev parent reply other threads:[~2002-11-12 11:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-11-11 10:56 NAT only - No connection tracking Jet
2002-11-11 11:34 ` Brad Chapman
2002-11-11 13:03 ` Antony Stone
2002-11-11 19:21 ` Brad Chapman
2002-11-11 20:16 ` Ben Russo
2002-11-12 11:14 ` Filip Sneppe [this message]
2002-11-13 0:36 ` Brad Chapman
2002-11-13 2:46 ` Jet
-- strict thread matches above, loose matches on Subject: below --
2002-11-11 10:56 Jet (jchan@trusecure.com)
2002-11-11 11:06 ` Antony Stone
2002-11-11 20:05 ` Antony Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1037099676.12587.8.camel@hope \
--to=filip.sneppe@cronos.be \
--cc=Antony@Soft-Solutions.co.uk \
--cc=kakadu_croc@yahoo.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox