De-SNAT-ing and DNAT

De-SNAT-ing and DNAT

[J. A. Landamore]

Please excuse my ignorance with this, but I'm trying to pick the bones out of an 
iptables configuration that has been dropped in my lap.

I have a lan of machines on a 192.168. network with an iptables box to the real 
world.  If I apply SNAT I can map all the internal addresses to the one real 
world facing assigned address.  I assume that when packets come back they are 
"de-SNAT"ed before passing back onto the private lan, and that this happens in 
the "PREROUTING" path.  My question is, does the "de-SNAT" happen before or 
after the "PREROUTING" DNAT?

Why, because I need to make a DNAT decision based on the original _source_ 
address, i.e. which machine originally sourced the packet.

Thanks for your help

John Landamore

Re: De-SNAT-ing and DNAT

[Cedric Blancher]

----- Original Message -----
From: "J. A. Landamore" <jal@mcs.le.ac.uk>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, February 25, 2003 5:59 PM
Subject: De-SNAT-ing and DNAT


> I have a lan of machines on a 192.168. network with an iptables box to the
real
> world.  If I apply SNAT I can map all the internal addresses to the one
real
> world facing assigned address.  I assume that when packets come back they
are
> "de-SNAT"ed before passing back onto the private lan, and that this
happens in
> the "PREROUTING" path.

You're right.

> My question is, does the "de-SNAT" happen before or
> after the "PREROUTING" DNAT?

As far as I understand NAT stuff, it happens far before, handled by
conntrack which has precedence over any table.

Moreover, only packets with state NEW are going through nat table and its
chains. Further packets will be handled transparently by conntrack and will
not cross nat table. That means if you have a PREROUTING DNAT, it will not
interfere with your SNAT stuff.

> Why, because I need to make a DNAT decision based on the original _source_
> address, i.e. which machine originally sourced the packet.

I do not understand what you mean. De-SNAT stuff (which is an "automatic"
DNAT) sends packets to original source address without doing anything else.
Are you trying to set something more tricky up ?

--
Cédric Blancher  <blancher@cartel-securite.fr>
Consultant en sécurité des systèmes et réseaux  - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: De-SNAT-ing and DNAT

[Willi Mann]

I'm sure, but I would say based on my experience, that you will not see 
the packets that go into the other direction.
I haven't tried but maybe you can use the LOG-target in PRE/POSTROUTING. 
You will see which source and destination the packets have.


Willi

>--__--__--
>
>Message: 5
>Date: Tue, 25 Feb 2003 16:59:57 +0000 (GMT)
>From: "J. A. Landamore" <jal@mcs.le.ac.uk>
>Reply-To: "J. A. Landamore" <jal@mcs.le.ac.uk>
>Subject: De-SNAT-ing and DNAT
>To: netfilter@lists.netfilter.org
>
>Please excuse my ignorance with this, but I'm trying to pick the bones out of an 
>iptables configuration that has been dropped in my lap.
>
>I have a lan of machines on a 192.168. network with an iptables box to the real 
>world.  If I apply SNAT I can map all the internal addresses to the one real 
>world facing assigned address.  I assume that when packets come back they are 
>"de-SNAT"ed before passing back onto the private lan, and that this happens in 
>the "PREROUTING" path.  My question is, does the "de-SNAT" happen before or 
>after the "PREROUTING" DNAT?
>
>Why, because I need to make a DNAT decision based on the original _source_ 
>address, i.e. which machine originally sourced the packet.
>
>Thanks for your help
>
>John Landamore
>
>
>  
>