Re: Question about NAT, src ports and dst ports.

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@vger.kernel.org
Subject: Re: Question about NAT, src ports and dst ports.
Date: Mon, 24 Nov 2008 16:44:21 +0100	[thread overview]
Message-ID: <492ACBD5.20405@plouf.fr.eu.org> (raw)
In-Reply-To: <5ed0ca650811240548v39adffd2ndfc24ee7d858f9fe@mail.gmail.com>

Hello,

patrick daures a écrit :
> 
> iptables -t nat -A PREROUTING -d .... -m dscp --dscp 46 -j NETMAP --to
> 193.0.0.0/8
> 
> But (yes, there is a but)
> when my tool generates packets, it can create TCP, UDP, ... packets
> with dst port and src port values.
> When it creates udp packets with DIFFERENT dscp values but using the
> SAME ports, iptables rules doesn't work like I want.
[...]
> Is this normal ? (I think "yes")

Yes. NAT works on a per-connection basis, not on a per-packet basis. It 
relies on connection tracking (aka conntrack) to identify which 
connection a packet belongs to. When a packet belongs to an existing 
connection, it does not go through the nat chains, it is applied the 
same NAT operations as those which were applied to the first packet 
which created the connection instead. This way the same NAT operations 
are applied to all the packets belonging to the same connection. The 
conntrack uses addresses, protocol and ports but not the DSCP field to 
uniquely identify connections. So packets with the same addresses, 
protocol and ports are associated to the same connection regardless of 
the DSCP field.

> Could I change it ? Is it possible to set iptables in order to avoid
> the srcPort and dstPort check ?

I'm afraid not. You must change at least one element among the source 
and destination addresses and ports so packets appear to belong to 
different connections.

     prev parent reply	other threads:[~2008-11-24 15:44 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-11-24 13:48 Question about NAT, src ports and dst ports patrick daures
2008-11-24 15:44 ` Pascal Hambourg [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=492ACBD5.20405@plouf.fr.eu.org \
    --to=pascal.mail@plouf.fr.eu.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox