When does NAT processing actually takes place?

When does NAT processing actually takes place?

[Pandu Poluan]

Another question that's been bugging me:

When does the actual NAT process (i.e., swapping addresses) take place
for DNAT and SNAT/MASQUERADE? And when does the reciprocal NAT (i.e.,
reverse NAT, that should happen for instance to process a reply to a
packet that's been SNAT-ed) take place?

My guess is just after the packet exits the nat table, before it
enters the mangle table.

Am I correct?

Rgds,


-- 
--
Pandu E Poluan - IT Optimizer
My website: http://pandu.poluan.info/

Re: When does NAT processing actually takes place?

[Atle Solbakken]

Den 17. mars 2011 01:20, skrev Pandu Poluan:
> When does the actual NAT process (i.e., swapping addresses) take place
> for DNAT and SNAT/MASQUERADE? And when does the reciprocal NAT (i.e.,
> reverse NAT, that should happen for instance to process a reply to a
> packet that's been SNAT-ed) take place?
Take a look at this diagram. Explains iptables packet flow (simplified).

http://www.linuxhomenetworking.com/wiki/images/f/f0/Iptables.gif.pagespeed.ce.WDSY-MDA4o.gif


Atle.

Re: When does NAT processing actually takes place?

[Pandu Poluan]

On Thu, Mar 17, 2011 at 07:25, Julien Vehent <julien@linuxwall.info> wrote:
>
>
> On Wed, Mar 16, 2011 at 8:20 PM, Pandu Poluan <pandu@poluan.info> wrote:
>>
>> Another question that's been bugging me:
>>
>> When does the actual NAT process (i.e., swapping addresses) take place
>> for DNAT and SNAT/MASQUERADE? And when does the reciprocal NAT (i.e.,
>> reverse NAT, that should happen for instance to process a reply to a
>> packet that's been SNAT-ed) take place?
>>
>>
>> My guess is just after the packet exits the nat table, before it
>> enters the mangle table.
>>
>
> NAT is performed after it exists the Mangle table, in PREROUTING and POSTROUTING.
> http://wiki.linuxwall.info/lib/exe/fetch.php/ressources:dossiers:advanced_networking:nf-packet-flow.png
>
>
> Julien

Ah yes, sorry, got the location of the tables mixed up.

So, it's performed after it exits the Mangle table, and after being
processed by the Nat table?

--
Pandu E Poluan
~ IT Optimizer ~

Re: When does NAT processing actually takes place?

[Pandu Poluan]

On Thu, Mar 17, 2011 at 07:48, Atle Solbakken <atle@goliathdns.no> wrote:
> Den 17. mars 2011 01:20, skrev Pandu Poluan:
>>
>> When does the actual NAT process (i.e., swapping addresses) take place
>> for DNAT and SNAT/MASQUERADE? And when does the reciprocal NAT (i.e.,
>> reverse NAT, that should happen for instance to process a reply to a
>> packet that's been SNAT-ed) take place?
>
> Take a look at this diagram. Explains iptables packet flow (simplified).
>
> http://www.linuxhomenetworking.com/wiki/images/f/f0/Iptables.gif.pagespeed.ce.WDSY-MDA4o.gif
>
>
> Atle.
>

It explains the flow alright, but that's not really my question.

I'll try to explain in more detail.

## Scenario 1: External address DNAT to internal server ##

A packet comes in:
[1] To: 11.22.33.44:80
From: 55.66.77.88:34567

It got DNATed:
[2] To: 192.168.1.22:12080
From: 55.66.77.88:34567

The server replied:
[3] To: 55.66.77.88:34567
From: 192.168.1.22:12080

It got "inverse NAT"ed:
[4] To: 55.66.77.88:34567
From: 11.22.33.44:80

## Scenario 2: Internal host accesses outside world ##

A packet comes in from the LAN:
[5] To: 75.64.53.42:80
From: 192.168.5.66:45678

It got SNATed:
[6] To: 75.64.53.42:80
From: 88.77.66.55:45678

The remote side replied:
[7] To: 88.77.66.55:45678
From: 75.64.53.42:80

It got "inverse NAT"ed:
[8] To: 192.168.5.66:45678
From: 75.64.53.42:80


Now, based on the discussions:

* [1]-->[2] happens as packet exits nat/PREROUTING
* [5]-->[6] happens as packet exits nat/POSTROUTING

When do [3]-->[4] and [7]-->[8] happen?


Rgds,
--
Pandu E Poluan
~ IT Optimizer ~
Visit my Blog: http://pepoluan.posterous.com

Re: When does NAT processing actually takes place?

[Steven Kath]

> I'll try to explain in more detail.
> 
> ## Scenario 1: External address DNAT to internal server ##
> 
> A packet comes in:
> [1] To: 11.22.33.44:80
> From: 55.66.77.88:34567
> 
> It got DNATed:
> [2] To: 192.168.1.22:12080
> From: 55.66.77.88:34567
> 
> The server replied:
> [3] To: 55.66.77.88:34567
> From: 192.168.1.22:12080
> 
> It got "inverse NAT"ed:
> [4] To: 55.66.77.88:34567
> From: 11.22.33.44:80
> 
> ## Scenario 2: Internal host accesses outside world ##
> 
> A packet comes in from the LAN:
> [5] To: 75.64.53.42:80
> From: 192.168.5.66:45678
> 
> It got SNATed:
> [6] To: 75.64.53.42:80
> From: 88.77.66.55:45678
> 
> The remote side replied:
> [7] To: 88.77.66.55:45678
> From: 75.64.53.42:80
> 
> It got "inverse NAT"ed:
> [8] To: 192.168.5.66:45678
> From: 75.64.53.42:80
> 
> 
> Now, based on the discussions:
> 
> * [1]-->[2] happens as packet exits nat/PREROUTING
> * [5]-->[6] happens as packet exits nat/POSTROUTING
> 
> When do [3]-->[4] and [7]-->[8] happen?

Unless I'm mistaken, the "inverse NAT" is part of the conntrack set of functions.  See the diagram linked below. 

The conntrack table contains both the pre-NAT and post-NAT address:port pairings, and for existing connections the conntrack step on the diagram handles the necessary "inverse" translations.  There is a lot of heavy wizardry going on in that little "conntrack" bubble. 

http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg

Re: When does NAT processing actually takes place?

[Pandu Poluan]

On Thu, Mar 17, 2011 at 13:32, Steven Kath <steven.kath@vyatta.com> wrote:
>
> > I'll try to explain in more detail.
> >
> > ## Scenario 1: External address DNAT to internal server ##
> >
> > A packet comes in:
> > [1] To: 11.22.33.44:80
> > From: 55.66.77.88:34567
> >
> > It got DNATed:
> > [2] To: 192.168.1.22:12080
> > From: 55.66.77.88:34567
> >
> > The server replied:
> > [3] To: 55.66.77.88:34567
> > From: 192.168.1.22:12080
> >
> > It got "inverse NAT"ed:
> > [4] To: 55.66.77.88:34567
> > From: 11.22.33.44:80
> >
> > ## Scenario 2: Internal host accesses outside world ##
> >
> > A packet comes in from the LAN:
> > [5] To: 75.64.53.42:80
> > From: 192.168.5.66:45678
> >
> > It got SNATed:
> > [6] To: 75.64.53.42:80
> > From: 88.77.66.55:45678
> >
> > The remote side replied:
> > [7] To: 88.77.66.55:45678
> > From: 75.64.53.42:80
> >
> > It got "inverse NAT"ed:
> > [8] To: 192.168.5.66:45678
> > From: 75.64.53.42:80
> >
> >
> > Now, based on the discussions:
> >
> > * [1]-->[2] happens as packet exits nat/PREROUTING
> > * [5]-->[6] happens as packet exits nat/POSTROUTING
> >
> > When do [3]-->[4] and [7]-->[8] happen?
>
> Unless I'm mistaken, the "inverse NAT" is part of the conntrack set of functions.  See the diagram linked below.
>
> The conntrack table contains both the pre-NAT and post-NAT address:port pairings, and for existing connections the conntrack step on the diagram handles the necessary "inverse" translations.  There is a lot of heavy wizardry going on in that little "conntrack" bubble.
>
> http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg

Ahh, thanks!

Obligatory off-topic comment:

Never would've thought that the little "conntrack" bubble is a bubble
who could ;-)

Rgds,
--
Pandu E Poluan
~ IT Optimizer ~
Visit my Blog: http://pepoluan.posterous.com

Re: When does NAT processing actually takes place?

[Pascal Hambourg]

Steven Kath a écrit :
>
> Unless I'm mistaken, the "inverse NAT" is part of the conntrack set of
> functions.

Unless I'm mistaken, the direct and inverse NAT is performed in the nat
hooks, called after the mangle chains. Destination NAT is performed in
the PRE_ROUTING or LOCAL_OUT (OUTPUT) hook, and source NAT is performed
in the POST_ROUTING or LOCAL_IN (INPUT) hook.

> The conntrack table contains both the pre-NAT and post-NAT
> address:port pairings,

Yes, but AFAIK this is only used for connection tracking purpose, so
that packets in the original and reply directions can be related to the
conntrack entry.