![]() ![]() The examples of SNAT-type rules are SNAT and MASQUERADE. For example, if the connection tracking table already contains the record with this particular (proto, src-addr, src-port, dst-addr, dst-port) tuple (src-addr and src-port are after translation), to be able to make a distinction which is which, the new translation must use another src-port (because this is the only degree of freedom), so the "NAPT" will inevitable take place. Sometimes it will also change the source port. source NAT, which intends to leave destination address intact and only changes the source address.In Linux, there are two types of dynamic NAT rules, both of which you call "NAPT": ![]() You have somehow the wrong distinction between SNAT/MASQUERADE and NAPT/PAT. Reaching a remote HTTPS server on port 443, does not involve that the source port is 443. Note that if you device want to reach a remote server on a given destination port, there are chances that the operating system already assigned a random source port over 1024. Note that this has nothing to do with destination ports, so if a client tries to make contact with an HTTP server outside the firewall, it will not be mapped to the FTP control port. As previously stated, iptables will always try to maintain the source ports used by the actual workstation making the connection. All other ports will be mapped to 1024 or above. Those between source ports 5 will be mapped to ports below 1024. If no port range is specified, then if they're needed, all source ports below 512 will be mapped to other ports below 512. iptables will always try to avoid making any port alterations if possible, but if two hosts try to use the same ports, iptables will map one of them to another port. This is only valid if -p tcp or -p udp was specified somewhere in the match of the rule in question. The port bit of the rule would then look like in the example above, :1024-32000. All the source ports would then be confined to the ports specified. ![]() We can also specify a range of ports to be used by SNAT. The source IP for each stream that we open would then be allocated randomly from these, and a single stream would always use the same IP address for all packets within that stream. The -to-source IP numbers could then, for instance, be something like in the above example: 194.236.50.155-194.236.50.160. If we want to balance between several IP addresses, we can use a range of IP addresses, separated by a hyphen. This option, at its simplest, takes one IP address which we want to use for the source IP address in the IP header. The -to-source option is used to specify which source the packet should use. This job can be done by a SNAT, not a PAT.įurthermore, you are wrong assuming SNAT/MASQUERADE does not change source ports. When the source is in a rfc1918 (private IP) network and the destination is a public IP, because rfc1918 networks are not routable over Internet, a NAT is required to replace the private IP by the public IP. If the destination can route its traffic to the source, no NAT or PAT is required.Īs an example, no NAT/PAT is required if the VPN clients in 10.8.0.0/24 want to talk with your LAN devices in 192.168.1.0/24, as long as the involved devices can route to the other network (through their gateway). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |