From: Steve Fink <sphink@gmail.com>
To: Bill Prochazka <billprozac@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: NAT table bypass for local traffic
Date: Wed, 28 Apr 2010 10:59:40 -0700 [thread overview]
Message-ID: <h2v7d7f2e8c1004281059l2ad0d411x1e5f17fd6d7e489f@mail.gmail.com> (raw)
In-Reply-To: <n2h812495871004281019nb633c037i7dc04336bc47bd59@mail.gmail.com>
I probably shouldn't be responding, knowing as little as I do about
such things, but I believe this is by design. The nat table only gets
a crack at packets that initiate a connection -- as in, do not yet
exist in the connection tracking tables. This is true even of UDP
packets, because connection tracking heuristically assigns those to
connections based on observed IP,port pairs and the traffic pattern.
If you want to see those packets in the nat table, you have a number
of options: (1) figure out how to do what you want on a connection
basis and make sure you have everything set up before any connections
are established; (2) install conntrack-tools and do a conntrack -F to
flush out tracked connections, so you'll get one packet from each
connection through the nat table; or (3) add a rule to the raw table
that bypasses connection tracking via the NOTRACK target.
From the iptables manpage, in the description of the nat table: "This
table is consulted when a packet that creates a new connection is
encountered."
I don't know what mechanism makes related packets in an established
connection follow the translation actions set up by the initial
packets. There's a magic sheep bit in there somewhere.
On Wed, Apr 28, 2010 at 10:19 AM, Bill Prochazka <billprozac@gmail.com> wrote:
> So, I have an interesting observation. I am doing some wonky fun
> stuff with iptables and have noticed that traffic generated by a host
> on an existing connection, is bypassing the NAT table for processing.
> I ran netcat listenening on a host and log all traffic on the OUTPUT
> and POSTROUTING chains. When I connect from another host, the traffic
> is not processed by those chains. However, if I initiate a connection
> from that host, the chains are processed appropriately. Is this by
> design or is this a bug? The traffic does pass through the mangle
> table, just not the NAT table. Anyone ever encounter something like
> this? I have verified this on both CentOS 5.4 (2.6.18) and busybox
> (2.6.27).
>
> Bill
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next prev parent reply other threads:[~2010-04-28 17:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-28 17:19 NAT table bypass for local traffic Bill Prochazka
2010-04-28 17:59 ` Steve Fink [this message]
2010-04-28 19:46 ` Jan Engelhardt
2010-04-28 20:50 ` Bill Prochazka
2010-04-28 20:55 ` Sven-Haegar Koch
2010-04-29 6:25 ` ratheesh k
[not found] ` <001636c5c15232dea504855f65c2@google.com>
2010-04-30 6:25 ` ratheesh k
2010-04-30 7:22 ` ratheesh k
2010-05-01 4:23 ` ratheesh k
2010-05-01 14:29 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=h2v7d7f2e8c1004281059l2ad0d411x1e5f17fd6d7e489f@mail.gmail.com \
--to=sphink@gmail.com \
--cc=billprozac@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).