does iptables perform a automatically SNAT for response packet, if it does when does it happened?

3

1

Let's assume we have a router which has internal ip(192.168.1.1) and external ip(192.0.2.5) and a computer behind the router which has internal ip(192.168.1.100). And the router has already configured to MASQUARADE source ip so user can access the internet.

And i am wandering when the internet server response user's request with a packet(SRC:8.8.8.8->DST:192.0.2.5) and this packet goes into iptables but no rule have been configured to DNAT it back to user's ip, how does the user even receive the response?

And i've google it someone said it is DNATed automatically by Netfilter, i am wandering if it true or not, and if it is true, when does this Hidden-DNAT performed, is it performed when the packet arrived FILTER table or NAT table or something else? And after it is DNATed will it goes into FILTER's INPUT table or FORWARD table?

Zhizhang Deng

Posted 2017-05-19T08:37:59.133

Reputation: 31

Answers

0

Netfilter keeps tracking information on what you send to the MASQUERADE target. When corresponding responses (packets) are received, they are subject to the nat table. The path for incoming packets moving through the nat table is as follows:

1. ingress at router external interface
2. nat - PREROUTING
    a. convert external IP to internal IP
3. nat - POSTROUTING
4. egress at router internal interface
5. ingress at internal computer interface

The DNAT is performed in the PREROUTING chain of the nat table. If the original source of the packets was an internal computer on your LAN, the packets will not pass through the filter table of the router because they are recognized as previously NAT'ed packets based on their source and or destination IP's. However, if your router was the original source, and packets are ultimately destined for the router itself, then they would pass through the filter table of the router.

diametralpitch

Posted 2017-05-19T08:37:59.133

Reputation: 588

Sorry there are two inexact facts: packet will always pass through the filter table. What they won't always do is pass through the nat table. Only the first packet of a flow (seen as [NEW] when running conntrack -E) will pass through the nat table. Then there's a conntrack expectation entry that will short-circuit the nat table for all other packets matching it, because they are considered to be in the same flow. You can also explicitely choose to short-circuit most filter rules for this flow by using -m conntrack --ctstate ESTABLISHED -j ACCEPT in some or all of the filter chains. – A.B – 2017-10-15T03:57:50.440

Asked: 2017-05-19T08:37:59.133

Viewed: 768 times

Active: 2017-07-02T23:30:28.317