SNAT range does not use unique IP

SNAT range does not use unique IP

[Igor S]

Dear netfilter guru's

I am trying to build a kind of a dynamic 1:1 SNAT gateway that is 
supposed to build every incoming IP to a unique internal IP in the 
internal network without any port mangling.

I did setup an SNAT range big enough to uniquely translate more than 8K 
addresses:
iptables -t nat -A POSTROUTING -s 100.0.0.0/8 -j SNAT -o eth2 --to  
12.0.1.1-12.0.33.254 --persistent

However before the range was exhausted conntrack started to report 
multiple source IP addresses translated to the same SNAT IP:
e.g. both 100.0.58.1:7 and 100.0.29.1:7 connections were translated to 
the same 12.0.8.241:7

cat /proc/net/nf_conntrack |grep 12.0.8.241
ipv4     2 udp      17 3 src=100.0.58.1 dst=12.2.58.1 sport=7 dport=7 
[UNREPLIED] src=12.2.58.1 dst=12.0.8.241 sport=7 dport=7 mark=0 zone=0 
use=2
ipv4     2 udp      17 3 src=100.0.29.1 dst=12.2.29.1 sport=7 dport=7 
[UNREPLIED] src=12.2.29.1 dst=12.0.8.241 sport=7 dport=7 mark=0 zone=0 
use=2

Isn't the nat module supposed to select a unique NAT IP in this case?

What would be a more appropriate way to make a unique 1:1 translation 
without knowing the exact source IP in advance?
Thanks,
Igor

Re: SNAT range does not use unique IP

[Phil Oester]

On Thu, Dec 12, 2013 at 10:55:53PM +0100, Igor S wrote:
> Dear netfilter guru's
> 
> I am trying to build a kind of a dynamic 1:1 SNAT gateway that is
> supposed to build every incoming IP to a unique internal IP in the
> internal network without any port mangling.

Then you should be using the NETMAP target.

   NETMAP (IPv4-specific)
       This target allows you to statically map a whole network of addresses onto another network of addresses.   It  can
       only be used from rules in the nat table.

       --to address[/mask]
              Network  address to map to.  The resulting address will be constructed in the following way: All 'one' bits
              in the mask are filled in from the new `address'.  All bits that are zero in the mask are  filled  in  from
              the original address.


Phil

Re: SNAT range does not use unique IP

[Igor S]

On Thu, 12 Dec 2013 14:34:44 -0800, Phil Oester wrote:
> On Thu, Dec 12, 2013 at 10:55:53PM +0100, Igor S wrote:
>> Dear netfilter guru's
>>
>> I am trying to build a kind of a dynamic 1:1 SNAT gateway that is
>> supposed to build every incoming IP to a unique internal IP in the
>> internal network without any port mangling.
>
> Then you should be using the NETMAP target.
>
>    NETMAP (IPv4-specific)
>        This target allows you to statically map a whole network of
> addresses onto another network of addresses.   It  can
>        only be used from rules in the nat table.
>
>        --to address[/mask]
>               Network  address to map to.  The resulting address will
> be constructed in the following way: All 'one' bits
>               in the mask are filled in from the new `address'.  All
> bits that are zero in the mask are  filled  in  from
>               the original address.
>
>
> Phil

Hi Phil,
Thanks for the quick reply
NETMAP would not be good for my case as the server is not supposed to 
handle the entire 100.0.0.0/8 network. It only has to map the number of 
addresses specified in the range. And i need to know in advance what 
addresses can be used on a particular NAT server.
The idea of using SNAT is to "compress" the source network and 
translate only the active clients.

Thanks,
Igor

Re: SNAT range does not use unique IP

[Phil Oester]

On Fri, Dec 13, 2013 at 03:34:33PM +0100, Igor S wrote:
> On Thu, 12 Dec 2013 14:34:44 -0800, Phil Oester wrote:
> >On Thu, Dec 12, 2013 at 10:55:53PM +0100, Igor S wrote:
> >>I am trying to build a kind of a dynamic 1:1 SNAT gateway that is
> >>supposed to build every incoming IP to a unique internal IP in the
> >>internal network without any port mangling.
> >
> >Then you should be using the NETMAP target.

> Hi Phil,
> Thanks for the quick reply
> NETMAP would not be good for my case as the server is not supposed
> to handle the entire 100.0.0.0/8 network. It only has to map the
> number of addresses specified in the range. And i need to know in
> advance what addresses can be used on a particular NAT server.
> The idea of using SNAT is to "compress" the source network and
> translate only the active clients.

Unfortunately, SNAT and NETMAP are the only two options available.

Phil

Re: SNAT range does not use unique IP

[Igor S]

On Fri, 13 Dec 2013 09:21:16 -0800, Phil Oester wrote:
> On Fri, Dec 13, 2013 at 03:34:33PM +0100, Igor S wrote:
>> On Thu, 12 Dec 2013 14:34:44 -0800, Phil Oester wrote:
>> >On Thu, Dec 12, 2013 at 10:55:53PM +0100, Igor S wrote:
>> >>I am trying to build a kind of a dynamic 1:1 SNAT gateway that is
>> >>supposed to build every incoming IP to a unique internal IP in the
>> >>internal network without any port mangling.
>> >
>> >Then you should be using the NETMAP target.
>
>> Hi Phil,
>> Thanks for the quick reply
>> NETMAP would not be good for my case as the server is not supposed
>> to handle the entire 100.0.0.0/8 network. It only has to map the
>> number of addresses specified in the range. And i need to know in
>> advance what addresses can be used on a particular NAT server.
>> The idea of using SNAT is to "compress" the source network and
>> translate only the active clients.
>
> Unfortunately, SNAT and NETMAP are the only two options available.
>
> Phil

Understood. But is it normal that NAT uses absolutely the same IP/port 
combination for different source IP's?
Igor

Re: SNAT range does not use unique IP

[Pascal Hambourg]

Igor S a écrit :
> 
> Understood. But is it normal that NAT uses absolutely the same IP/port 
> combination for different source IP's?

Yes, as long as the destination address/port are different.

Re: SNAT range does not use unique IP

[Igor S]

On Mon, 16 Dec 2013 10:23:01 +0100, Pascal Hambourg wrote:
> Igor S a écrit :
>>
>> Understood. But is it normal that NAT uses absolutely the same 
>> IP/port
>> combination for different source IP's?
>
> Yes, as long as the destination address/port are different.

OK. that does not allow to maintain the required consistency in the 
target network. Different clients may use the same SRC IP; the same 
client may appear to use different SRC IP addresses when talking to 
different servers in the same destination network.

Any suggestions how I could change the NAT code to prevent it from 
using the same SNAT IP address for different clients?

Thanks,
Igor

Re: SNAT range does not use unique IP

[Igor S]

On Mon, 16 Dec 2013 10:23:01 +0100, Pascal Hambourg wrote:
> Igor S a écrit :
>>
>> Understood. But is it normal that NAT uses absolutely the same 
>> IP/port
>> combination for different source IP's?
>
> Yes, as long as the destination address/port are different.

OK. that does not allow to maintain the required consistency in the 
target network. Different clients may use the same SRC IP; the same 
client may appear to use different SRC IP addresses when talking to 
different servers in the same destination network.

Any suggestions how I could change the NAT code to prevent it from 
using the same SNAT IP address for different clients?

Thanks,
Igor