Re: iptables question
On Sun, 13 Nov 2016 10:35:29 +0100
Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
> Le 12/11/2016 à 23:32, Joe a écrit :
> >
> > The SNAT should not be an issue, it can handle all protocols
> > transparently
>
> No it cannot. NAT is not possible with some IP protocols. Plain IPSec
> (without NAT-T encapsulation) is the first one that comes in mind.
I used to have a fair bit to do with PPTP through three or four NATs,
which sometimes involved guessing what Windows equivalents of conntrack
were up to.
>
> Also many complex protocols such as FTP or SIP (nothing exotic here)
> require special support and this is not transparent as it requires
> messing with the payload, not only with the packet headers. Use of
> encryption with these protocoles may come in the way and defeat NAT
> handling.
Is ssh really a more difficult protocol to handle than http? In the
context of this question, I would suggest not. I'm using 'protocol' in
the small-p sense, not referring specifically to Internet Protocols.
--
Joe
Reply to: