Stateless NAT
Jozsef Kadlecsik
kadlec at blackhole.kfki.hu
Thu Feb 24 17:43:12 CET 2005
On Thu, 24 Feb 2005, John A. Sullivan III wrote:
> Thanks to some help from Philip Craig of SnapGear, I'm still alive on
> this issue of UDP broadcast helping using iptables. The next problem is
> creating the stateless NAT that I need. My first choice would be to do
> this with iproute2 but it appears to be broken in the 2.6 kernel.
>
> I next tried doing this by using the raw table and NOTRACK target for
> udp broadcasts on the needed port and then DNAT on the same packets to
> the unicast address. However, apparently NOTRACK disables NAT so that
> didn't work. When using conntrack for most packets, how does one
> disable conntrack for certain NAT packets only? In other words, how does
> one do selective, stateless NAT in iptables? Thanks - John
You cannot do NAT without conntrack, because NAT in netfilter is built on
the top of conntrack. By the NOTRACK target you disable conntrack for
the selected packets thus disable NAT as well.
Currently there is no way to define stateless NAT in netfilter. That is
the bad news. The good one is that however one could write a stateless NAT
target module, nothing prevents that.
Best regards,
Jozsef
-
E-mail : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
More information about the netfilter
mailing list