Sub: nat issue in netfilter

Sub: nat issue in netfilter

[Kamal Kumar]

Dear netfilter,
                     I have an issue regarding nat in netfilter. When
I configure the following rule "iptables -t nat -A POSTROUTING -s
0.0.0.0/0 -d 0.0.0.0/0  -i eth0 -o eth1 -j SNAT --to A.B.C.D" and run
some ip traffic from eth0 to eth1 found packets from eth1 with
translated source ip A.B.C.D, its fine but when I flush the nat
entries with traffic running from eth0 to eth1, I found packets on
eth1 with translated source ip A.B.C.D . Is this a problem if it is
then how to overcome it (when I flush the entries I should not see
packets from eth1 with translated source ip ).

                                        Thank you,

                    yours failthfully,

                     M KAMAL KUMAR.

Re: Sub: nat issue in netfilter

[Pascal Hambourg]

Hello,

Kamal Kumar a écrit :
>                      I have an issue regarding nat in netfilter. When
> I configure the following rule "iptables -t nat -A POSTROUTING -s
> 0.0.0.0/0 -d 0.0.0.0/0  -i eth0 -o eth1 -j SNAT --to A.B.C.D"

This command will fail with an error. The -i option is invalid in the
POSTROUTING chain.

> and run
> some ip traffic from eth0 to eth1 found packets from eth1 with
> translated source ip A.B.C.D, its fine but when I flush the nat
> entries with traffic running from eth0 to eth1, I found packets on
> eth1 with translated source ip A.B.C.D . Is this a problem if it is

It is the expected default behaviour. The traffic creates new entries in
the conntrack table.

> then how to overcome it (when I flush the entries I should not see
> packets from eth1 with translated source ip ).

What exact behaviour do you want ? No translation or no packets ?
For what kind of traffic (TCP, UDP...) ?
May I ask what is your goal by doing this ?

Re: Sub: NAT issue in netfilter

[Pascal Hambourg]

Kamal Kumar a écrit :
> 
> Below is my exact scenario -> Network 1 wants to communicate with
> Network 2 using NAT enabled router with two ethernet interfaces
> eth0 (192.168.1.1) and eth1 (192.168.2.1).
> 
> |    Network 1    |---| NAT Router |---|     Network 2   |
> (192.168.1.0/24)   ^                  ^     (192.168.2.0/24)
>                              |                  |
>              eth0(192.168.1.1)   eth1(192.168.2.1)
> 
> What I did is as mentioned below.
> 
> Step1: I am applying the following command "iptables -t nat -A
> POSTROUTING -s 0.0.0.0/0 -d 0.0.0.0/0 -o eth1 -j SNAT --to 192.168.2.1"
> in nat router.

Note : "-s 0.0.0.0/0 -d 0.0.0.0/0" is useless as it is the default.

> Step2: Started initiating traffic(ICMP) from network 1 to network 2
> and using wireshark I observed source ip of traffic from network 1
> being translated to ip 192.168.2.1 in nat router.

What kind of ICMP traffic ? Continuous echo requests + replies (aka
"ping") ?

> Step3: With traffic from network 1 to network 2 in PROGRESS I am
> flushing the nat table using the command "iptables -t nat -F".

Oh, I misunderstood your first message. I thought you meant by "nat
table" the connection tracking table used by NAT to store information
about the existing connections (aka conntrack entries).

> Now as there is no rule the source ip of traffic from network 1
> should not be translated to ip 192.168.2.1 (which is my requirement),
> but it is being translated.

As Neal wrote, only packets creating a new connection (= conntrack
entry) go through the chains of the nat table. Packets belonging or
related to an existing connection receive the same NAT mapping that was
applied to the first packet by the nat rules, in order not to break the
connection.

However, the notion of "connection" for ICMP trafic may not be very
clear. For ICMP echo traffic (aka "ping"), a new conntrack entry is
created by an ICMP echo-request packet with a given ID ; all subsequent
ICMP echo-request or echo-reply packets with the same source-destination
pair and ID are assigned to this conntrack entry. In the past with older
kernels, I observed that the conntrack entry was deleted after seeing
the reply, but not any more. The conntrack entry just expires after a
time-out following the last seen packet. The default time-out is 30s.

> What should I do to fullfill my requirement.

After flushing the nat rules, you must flush the conntrack table (or
just delete the corresponding entries) with the "conntrack" utility from
conntrack-tools :

conntrack -F

You can also disable conntrack and NAT on incoming packets with the
target NOTRACK in the "raw" table :

iptables -t raw -A PREROUTING -j NOTRACK

Re: Sub: NAT issue in netfilter

[Neal Murphy]

On Thursday, June 26, 2014 05:44:51 AM Kamal Kumar wrote:
> Dear Hambourg,
> 
> My response to your previous mail,
> 
> > Below is my exact scenario -> Network 1 wants to communicate with Network
> > 2 using NAT enabled router with two ethernet interfaces
> > eth0(192.168.1.1) and eth1 (192.168.2.1).
> > 
> |    Network 1    |---| NAT Router |---|     Network 2   |
> 
> (192.168.1.0/24)   ^                  ^     (192.168.2.0/24)
> 
>              eth0(192.168.1.1)   eth1(192.168.2.1)
> 
> > What I did is as mentioned below.
> >
> >Step1: I am applying the following command "iptables -t nat -A POSTROUTING
> >-s 0.0.0.0/0 -d 0.0.0.0/0 -o eth1 -j SNAT --to 192.168.2.1" in nat
> >router.
> >
> >Step2: Started initiating traffic(ICMP) from network 1 to network 2 and
> >using wireshark I observed source ip of traffic from network 1 being
> >translated to ip 192.168.2.1 in nat router.
> >
> >Step3: With traffic from network 1 to network 2 in PROGRESS I am flushing
> >the nat table using the command "iptables -t nat -F".
> >
> > Now as there is no rule the sourece ip of traffic from network 1 should
> > not be translated to ip 192.168.2.1 (which is my requirement), but it is
> > being translated.
> > 
> > What should I do to fullfill my requirement.

As I recall, rules in table nat apply to new conns, not all packets. I believe 
you have to terminate existing conns to stop them.

Sub: NAT issue in netfilter

[Kamal Kumar]

Dear Hambourg,

My response to your previous mail,

> Below is my exact scenario -> Network 1 wants to communicate with Network 2 using NAT enabled router with two ethernet interfaces eth0(192.168.1.1) and eth1 (192.168.2.1).

|    Network 1    |---| NAT Router |---|     Network 2   |
(192.168.1.0/24)   ^                  ^     (192.168.2.0/24)
                             |                  |
             eth0(192.168.1.1)   eth1(192.168.2.1)

> What I did is as mentioned below.

>Step1: I am applying the following command "iptables -t nat -A POSTROUTING -s 0.0.0.0/0 -d 0.0.0.0/0 -o eth1 -j SNAT --to 192.168.2.1" in nat router.

>Step2: Started initiating traffic(ICMP) from network 1 to network 2 and using wireshark I observed source ip of traffic from network 1 being translated to ip 192.168.2.1 in nat router.

>Step3: With traffic from network 1 to network 2 in PROGRESS I am flushing the nat table using the command "iptables -t nat -F".

> Now as there is no rule the sourece ip of traffic from network 1 should not be translated to ip 192.168.2.1 (which is my requirement), but it is being translated.

> What should I do to fullfill my requirement.