V
V
Vladislav_vb2017-06-23 08:11:23
linux
Vladislav_vb, 2017-06-23 08:11:23

Who faced that iptables -j SNAT does not always "natit" packages?

On the external interface, packets are hopped that contain addresses of the internal network in the SRC field, such as 192.168.0.0/24, which reveals the contents of the internal network quite well. The DST field contains the normal address where the packet is sent.
Rules only:

[email protected]:~# iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -o eth2 -j SNAT --to-source XX.YY.ZZ.WW

It does not show all packages, but only partially (about 1% approximately, I didn’t count exactly).

Answer the question

In order to leave comments, you need to log in

1 answer(s)
M
Mystray, 2017-06-23
@Mystray

Only the first packet from each connection passes through -t nat, and it must be in the NEW contrack state, all other "discarded" packets within the connection do not "visually" pass through this table, and are not counted, although they are natted.
And if you initially have packets flying in the "INVALID" state, then they will also not go through -t nat. Don't like this behavior-I FORWARD -m state --state INVALID -j DROP

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question