Question about NAT, src ports and dst ports.

Question about NAT, src ports and dst ports.

[patrick daures]

Hi !
I am trying to set up a testbed using NAT.
A tool creates packets with a different DSCP values, then packets are
sent to a gateway doing NAT using the DSCP values.
For example, EF packets will be  DNAT to  193.1.1.1 and BE packets
will be DNAT to 194.1.1.1.

I use :
iptables -t nat -A PREROUTING -d .... -m dscp --dscp 46 -j NETMAP --to
193.0.0.0/8

But (yes, there is a but)
when my tool generates packets, it can create TCP, UDP, ... packets
with dst port and src port values.
When it creates udp packets with DIFFERENT dscp values but using the
SAME ports, iptables rules doesn't work like I want.
Example :

DNAT Rule :
DSCP : EF ---> DNAT to 193.1.1.1
DSCP : AF11 ---> DNAT to 194.1.1.1

When my generator creates packets like this :
dstPort = 642, srcPort = 326, DSCP = EF ----> DNAT -----> 193.1.1.1
dstPort = 642, srcPort = 326, DSCP = AF11 ----> DNAT -----> 193.1.1.1

iptables seems to apply the same DNAT to the two kinds of packets,
without respecting my iptables rule.

But, when I use the same rules with these packets :
dstPort = 446, srcPort = 222, DSCP = EF ----> DNAT -----> 193.1.1.1
dstPort = 642, srcPort = 326, DSCP = AF11 ----> DNAT -----> 194.1.1.1

it works.

Is this normal ? (I think "yes")
Could I change it ? Is it possible to set iptables in order to avoid
the srcPort and dstPort check ?

Sorry if this message is not easy to understand...

Thank you

Re: Question about NAT, src ports and dst ports.

[Pascal Hambourg]

Hello,

patrick daures a écrit :
> 
> iptables -t nat -A PREROUTING -d .... -m dscp --dscp 46 -j NETMAP --to
> 193.0.0.0/8
> 
> But (yes, there is a but)
> when my tool generates packets, it can create TCP, UDP, ... packets
> with dst port and src port values.
> When it creates udp packets with DIFFERENT dscp values but using the
> SAME ports, iptables rules doesn't work like I want.
[...]
> Is this normal ? (I think "yes")

Yes. NAT works on a per-connection basis, not on a per-packet basis. It 
relies on connection tracking (aka conntrack) to identify which 
connection a packet belongs to. When a packet belongs to an existing 
connection, it does not go through the nat chains, it is applied the 
same NAT operations as those which were applied to the first packet 
which created the connection instead. This way the same NAT operations 
are applied to all the packets belonging to the same connection. The 
conntrack uses addresses, protocol and ports but not the DSCP field to 
uniquely identify connections. So packets with the same addresses, 
protocol and ports are associated to the same connection regardless of 
the DSCP field.

> Could I change it ? Is it possible to set iptables in order to avoid
> the srcPort and dstPort check ?

I'm afraid not. You must change at least one element among the source 
and destination addresses and ports so packets appear to belong to 
different connections.