NAT only - No connection tracking

[Brad Chapman]

Mr. Filip,

--- Filip Sneppe <filip.sneppe@cronos.be> wrote:
> On Mon, 2002-11-11 at 20:21, Brad Chapman wrote:
> > 
> > Basically, if this person wants to do NAT, he has to do connection tracking as
> well.
> > LYSB, he doesn't have to run ctrack without NAT, but without ctrack the current
> > implementation of NAT in netfilter won't work. If there are other stateless NAT
> > kernel implementations available that attach to netfilter, then I am currently
> > unaware of them.
> > 
> Hi Brad & Antony,
> 
> There is one other way to do NAT without connection tracking - this is
> even possible on 2.2 kernels. There is some NAT functionality in the
> routing code (policy routing, advanced routing).
> 
> This is a form of NAT where only the IP addresses in the IP header
> are changed, no data inside the packet payload is inspected or changed.
> Also, there is no automatic retranslation of return packets, like with
> iptables.

*thunk*

Duh! I had forgotten about that, having never used it. Good call. Maybe the original
poster will be interested in this.

> 
> The syntax is a little different and takes some time to get used to;
> basically you get something like this:
> 
> ip rule add from 192.168.1.32/27 nat 10.1.1.32 prio 14000
> ip route add nat 10.1.1.32/27 via 192.168.1.32
> 
> to set up NAT rules.
> 
> For more info, see the iproute documentations. I can also recommend
> the book "Policy Routing with Linux" by Matthew G. Marsh, who is also
> a contributor on this list.
> 
> The book is being released online at http://www.policyrouting.org/,
> but is definately worth the buy.

> 
> Regards,
> Filip
> 

Brad


=====
Brad Chapman

Permanent e-mail: kakadu_croc@yahoo.com

__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2