Re: iptables question

To: debian-user@lists.debian.org
Subject: Re: iptables question
From: Joe <joe@jretrading.com>
Date: Sun, 13 Nov 2016 12:37:10 +0000
Message-id: <[🔎] 20161113123710.772ba9b8@jresid.jretrading.com>
In-reply-to: <[🔎] 3f8c1cea-4f09-d047-a56d-a242a7f59265@plouf.fr.eu.org>
References: <[🔎] o080pt$ok8$1@blaine.gmane.org> <[🔎] 20161112223216.2c7cf605@jresid.jretrading.com> <[🔎] bb2f9f69-981d-eb48-c4eb-ee279583a5ec@plouf.fr.eu.org> <[🔎] 20161113100902.7b06531e@jresid.jretrading.com> <[🔎] 3f8c1cea-4f09-d047-a56d-a242a7f59265@plouf.fr.eu.org>

On Sun, 13 Nov 2016 11:29:48 +0100
Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:

> Le 13/11/2016 à 11:09, Joe a écrit :
> > Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
> >  
> >> Le 12/11/2016 à 23:32, Joe a écrit :  
> >>>
> >>> The SNAT should not be an issue, it can handle all protocols
> >>> transparently  
> >>
> >> No it cannot. NAT is not possible with some IP protocols. Plain
> >> IPSec (without NAT-T encapsulation) is the first one that comes in
> >> mind.  
> >
> > I used to have a fair bit to do with PPTP through three or four
> > NATs,  
> 
> PPTP rather falls into the "complex protocols" described below.

Exactly so. You wouldn't believe how many routers of ten years ago or
so didn't handle it properly, at least with their initial firmware. But
it still doesn't need any additional NAT rules in iptables, the single
SNAT rule handles it, as well as tcp, udp etc. Other rules are needed
for correct *operation*, but not for NAT. Yes, I'm aware that NAT stops
plain IPSec working, as the endpoint IP addresses are involved in the
encryption. That isn't an iptables rule issue, and our single SNAT
rule will forward Protocol 47 and 50 just as easily as Protocol 6.

> 
> >> Also many complex protocols such as FTP or SIP (nothing exotic
> >> here) require special support and this is not transparent as it
> >> requires messing with the payload, not only with the packet
> >> headers. Use of encryption with these protocoles may come in the
> >> way and defeat NAT handling.  
> >
> > Is ssh really a more difficult protocol to handle than http?  
> 
> No. SSH relies on a single TCP connection, like TCP and other
> "simple" protocols. I reacted to you writing "NAT can handle *all*
> protocols *transparently*".
> 
> > I'm using 'protocol' in
> > the small-p sense, not referring specifically to Internet
> > Protocols.  
> 
> What is the "small-p sense" ?
> 

In the sense of 'a defined system for data transfer', as opposed to the
Internet Protocols of tcp, udp, gre etc. http is spoken of as a
'protocol', small-p, although it is a tiny subset of the tcp Internet
Protocol. Many people used to confuse tcp port 47 with IP 47, to the
extent that some router firmware would forward IP 47 if asked for
tcp/47, which only perpetuated the confusion.

-- 
Joe

Reply to:

Follow-Ups:
- Re: iptables question
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

References:
- iptables question
  - From: deloptes <deloptes@gmail.com>
- Re: iptables question
  - From: Joe <joe@jretrading.com>
- Re: iptables question
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: iptables question
  - From: Joe <joe@jretrading.com>
- Re: iptables question
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

Prev by Date: Re: Invoking ddrescue
Next by Date: Re: Invoking ddrescue
Previous by thread: Re: iptables question
Next by thread: Re: iptables question
Index(es):
- Date
- Thread