From: Steven Kath <steven.kath@vyatta.com>
To: Pandu Poluan <pandu@poluan.info>
Cc: netfilter@vger.kernel.org, Atle Solbakken <atle@goliathdns.no>
Subject: Re: When does NAT processing actually takes place?
Date: Wed, 16 Mar 2011 23:32:27 -0700 (PDT) [thread overview]
Message-ID: <1237758709.21621.1300343546963.JavaMail.root@tahiti.vyatta.com> (raw)
In-Reply-To: <282984944.21619.1300343429509.JavaMail.root@tahiti.vyatta.com>
> I'll try to explain in more detail.
>
> ## Scenario 1: External address DNAT to internal server ##
>
> A packet comes in:
> [1] To: 11.22.33.44:80
> From: 55.66.77.88:34567
>
> It got DNATed:
> [2] To: 192.168.1.22:12080
> From: 55.66.77.88:34567
>
> The server replied:
> [3] To: 55.66.77.88:34567
> From: 192.168.1.22:12080
>
> It got "inverse NAT"ed:
> [4] To: 55.66.77.88:34567
> From: 11.22.33.44:80
>
> ## Scenario 2: Internal host accesses outside world ##
>
> A packet comes in from the LAN:
> [5] To: 75.64.53.42:80
> From: 192.168.5.66:45678
>
> It got SNATed:
> [6] To: 75.64.53.42:80
> From: 88.77.66.55:45678
>
> The remote side replied:
> [7] To: 88.77.66.55:45678
> From: 75.64.53.42:80
>
> It got "inverse NAT"ed:
> [8] To: 192.168.5.66:45678
> From: 75.64.53.42:80
>
>
> Now, based on the discussions:
>
> * [1]-->[2] happens as packet exits nat/PREROUTING
> * [5]-->[6] happens as packet exits nat/POSTROUTING
>
> When do [3]-->[4] and [7]-->[8] happen?
Unless I'm mistaken, the "inverse NAT" is part of the conntrack set of functions. See the diagram linked below.
The conntrack table contains both the pre-NAT and post-NAT address:port pairings, and for existing connections the conntrack step on the diagram handles the necessary "inverse" translations. There is a lot of heavy wizardry going on in that little "conntrack" bubble.
http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
next parent reply other threads:[~2011-03-17 6:32 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <282984944.21619.1300343429509.JavaMail.root@tahiti.vyatta.com>
2011-03-17 6:32 ` Steven Kath [this message]
2011-03-17 8:43 ` When does NAT processing actually takes place? Pandu Poluan
2011-03-19 10:02 ` Pascal Hambourg
2011-03-17 0:20 Pandu Poluan
2011-03-17 0:48 ` Atle Solbakken
2011-03-17 2:08 ` Pandu Poluan
[not found] ` <AANLkTik7yeZMEx8ujCPd-fkFa1GRN9Ad82SDJi2emk88@mail.gmail.com>
2011-03-17 1:59 ` Pandu Poluan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1237758709.21621.1300343546963.JavaMail.root@tahiti.vyatta.com \
--to=steven.kath@vyatta.com \
--cc=atle@goliathdns.no \
--cc=netfilter@vger.kernel.org \
--cc=pandu@poluan.info \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).