Run conntrack in event mode on the NAT gateway: conntrack -E (or you can choose conntrack -E -proto tcp -orig-port-dst 443 to limit to HTTPS). It will mostly display the same content as /proc/net/nf_conntrack but can do more. You should install the conntrack command usually packaged as conntrack or conntrack-tools, from. Now my question: How can connection tracking track this packet in the POSTROUTING hook? There is no reply tuple with src = 217.254.1.76/dst = 192.168.2.55 because NAT has changed it. But after tracking the packet NAT changes the destination address to the address of the client, 192.168.2.55. That is why connection tracking can track the replies in the PREROUTING hook because there is an existing tuple for the reply. NAT changes the destination address in IP_CT_DIR_REPLY to its external ip address 193.157.56.3. It also silently creates a DNAT rule to revert the destination address of replies. IP_CT_DIR_ORIGINAL and IP_CT_DIR_REPLY are macros to access an array of two tuples.Īt the POSTROUTING hook NAT asks connection tracking for a existing connection and, if this is successful, changes the source address in the header of the packet. Connection tracking tracks this new connection and creates two new tuples: So the client sends a packet with src = 192.168.2.55/dst = 217.254.1.76 to the NAT-gateway which is also the default gateway. Now the Client wants to communicate with a server and the ip adress 217.254.1.76 on the Internet. There is a client computer on the local network with the ip address 192.168.2.55 and a NAT-gateway with the external ip address 193.157.56.3. In this example I will ignore the transport layer because I think it is not necessary to understand my problem. I try to explain my problem with a little SNAT example. I am already familiar with Netfilter hooks, tables, chains, the different kernel modules, etc.īut there is one detail of NAT in combination with connection tracking that I don't understand. At the moment I am diving into the details of the Netfilter Architecture of Linux.
0 Comments
Leave a Reply. |