Re: iptables question

To: debian-user@lists.debian.org
Subject: Re: iptables question
From: Joe <joe@jretrading.com>
Date: Sun, 13 Nov 2016 10:09:02 +0000
Message-id: <[🔎] 20161113100902.7b06531e@jresid.jretrading.com>
In-reply-to: <[🔎] bb2f9f69-981d-eb48-c4eb-ee279583a5ec@plouf.fr.eu.org>
References: <[🔎] o080pt$ok8$1@blaine.gmane.org> <[🔎] 20161112223216.2c7cf605@jresid.jretrading.com> <[🔎] bb2f9f69-981d-eb48-c4eb-ee279583a5ec@plouf.fr.eu.org>

On Sun, 13 Nov 2016 10:35:29 +0100
Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:

> Le 12/11/2016 à 23:32, Joe a écrit :
> >
> > The SNAT should not be an issue, it can handle all protocols
> > transparently  
> 
> No it cannot. NAT is not possible with some IP protocols. Plain IPSec 
> (without NAT-T encapsulation) is the first one that comes in mind.

I used to have a fair bit to do with PPTP through three or four NATs,
which sometimes involved guessing what Windows equivalents of conntrack
were up to.

> 
> Also many complex protocols such as FTP or SIP (nothing exotic here) 
> require special support and this is not transparent as it requires 
> messing with the payload, not only with the packet headers. Use of 
> encryption with these protocoles may come in the way and defeat NAT 
> handling.

Is ssh really a more difficult protocol to handle than http? In the
context of this question, I would suggest not. I'm using 'protocol' in
the small-p sense, not referring specifically to Internet Protocols.

-- 
Joe

Reply to:

Follow-Ups:
- Re: iptables question
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

References:
- iptables question
  - From: deloptes <deloptes@gmail.com>
- Re: iptables question
  - From: Joe <joe@jretrading.com>
- Re: iptables question
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

Prev by Date: Re: iptables question
Next by Date: Re: libvirt-bin on Stretch
Previous by thread: Re: iptables question
Next by thread: Re: iptables question
Index(es):
- Date
- Thread