in iptables, does MASQUERADE match only on NEW connections (SYN packets)?











up vote
1
down vote

favorite












I observed that MASQUERADE target does not match on packets in the reply direction (in terms of netfilter conntrack).



I've a single simple -t nat -A POSTROUTING -s 10.a.0.0/16 -d 10.b.0.0/16 -j MASQUERADE rule, nothing else besides of ACCEPT policies on all chains, and it seems that



case 1) SYN packets of connection initialization attempts from 10.a/16 network get NAT-ed (this is OK), while



case 2) SYN/ACK packets again from 10.a/16 network (in response to SYN from 10.b/16, ie. the initiator is 10.b/16 in this case) do not get translated, but src address is kept as-is, simply routed.



I'm not sure is it the expected behaviour or i missed something? I mean I dont want it to behave any other way, everything seems working. but the documentation did not confirm to me that this is the factory-default behaviur of the MASQUERADE target.



Could you confirm it? thanks.










share|improve this question


























    up vote
    1
    down vote

    favorite












    I observed that MASQUERADE target does not match on packets in the reply direction (in terms of netfilter conntrack).



    I've a single simple -t nat -A POSTROUTING -s 10.a.0.0/16 -d 10.b.0.0/16 -j MASQUERADE rule, nothing else besides of ACCEPT policies on all chains, and it seems that



    case 1) SYN packets of connection initialization attempts from 10.a/16 network get NAT-ed (this is OK), while



    case 2) SYN/ACK packets again from 10.a/16 network (in response to SYN from 10.b/16, ie. the initiator is 10.b/16 in this case) do not get translated, but src address is kept as-is, simply routed.



    I'm not sure is it the expected behaviour or i missed something? I mean I dont want it to behave any other way, everything seems working. but the documentation did not confirm to me that this is the factory-default behaviur of the MASQUERADE target.



    Could you confirm it? thanks.










    share|improve this question
























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I observed that MASQUERADE target does not match on packets in the reply direction (in terms of netfilter conntrack).



      I've a single simple -t nat -A POSTROUTING -s 10.a.0.0/16 -d 10.b.0.0/16 -j MASQUERADE rule, nothing else besides of ACCEPT policies on all chains, and it seems that



      case 1) SYN packets of connection initialization attempts from 10.a/16 network get NAT-ed (this is OK), while



      case 2) SYN/ACK packets again from 10.a/16 network (in response to SYN from 10.b/16, ie. the initiator is 10.b/16 in this case) do not get translated, but src address is kept as-is, simply routed.



      I'm not sure is it the expected behaviour or i missed something? I mean I dont want it to behave any other way, everything seems working. but the documentation did not confirm to me that this is the factory-default behaviur of the MASQUERADE target.



      Could you confirm it? thanks.










      share|improve this question













      I observed that MASQUERADE target does not match on packets in the reply direction (in terms of netfilter conntrack).



      I've a single simple -t nat -A POSTROUTING -s 10.a.0.0/16 -d 10.b.0.0/16 -j MASQUERADE rule, nothing else besides of ACCEPT policies on all chains, and it seems that



      case 1) SYN packets of connection initialization attempts from 10.a/16 network get NAT-ed (this is OK), while



      case 2) SYN/ACK packets again from 10.a/16 network (in response to SYN from 10.b/16, ie. the initiator is 10.b/16 in this case) do not get translated, but src address is kept as-is, simply routed.



      I'm not sure is it the expected behaviour or i missed something? I mean I dont want it to behave any other way, everything seems working. but the documentation did not confirm to me that this is the factory-default behaviur of the MASQUERADE target.



      Could you confirm it? thanks.







      iptables nat netfilter






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 29 at 9:52









      bandie

      464




      464






















          3 Answers
          3






          active

          oldest

          votes

















          up vote
          2
          down vote













          The identity of a TCP connection is defined by a set of four things:




          • the IP address of endpoint A

          • the IP address of endpoint B

          • the port number of endpoint A

          • the port number of endpoint B


          The TCP protocol standard says that if any of these four things are changed, the packet must not be considered part of the same connection. As a result, it makes no sense to start applying a NAT rule to a SYN/ACK packet if the initial SYN was also not NATted. You must either apply the same kind of NAT mapping for the entire connection from the start to finish, or not NAT it at all; any attempt to add or change a NAT mapping mid-connection will just cause the TCP connection to fail. This is a fundamental fact of the TCP protocol, and the Linux iptables/netfilter code is designed to take it into account.



          In your case 2), the SYN/ACK is preceded by a SYN from 10.b/16. That SYN has a source of 10.b/16, so it does not match the MASQUERADE rule and gets routed with addresses kept as-is. Then, if the SYN/ACK from 10.a/16 back to 10.b/16 would be translated, the sender of the original SYN would no longer recognize it as a response to its own SYN, as the source IP + destination IP + source port + destination port combination would be different from what is expected for a valid response.



          Essentially, the TCP protocol driver in the system that initiated the connection in 10.b/16 would then be thinking: "Sigh. The 10.a.connection.destination is not answering. And 10.b.NAT.system is bothering me with clearly spurious SYN/ACKs: I'm attempting to connect 10.a.connection.destination, not him. If I have time, I'll send a RST or two to 10.b.NAT.system; hopefully he realizes his mistake and stops bothering me."






          share|improve this answer





















          • it totally makes sense. knowning mechanism of NAT, I don't expect those syn/ack to be NATed. there's no malfunctioning in my cases. I only wish a credible statement that this is solely due to masquerade module and masquerade is smart enough and does take it into account. indeed it seems to do so.
            – bandie
            Nov 29 at 15:17


















          up vote
          1
          down vote













          MASQUERADE is just SNAT (source NAT) with the source of the outgoing interface (see man iptables-extensions.



          The connection attempt (the initial SYN) is NATed, and then the connection is tracked in the kernel ("conntrack"), and all packets in this connection are NATed in the appropriate direction.



          So yes, outgoing SYN/ACK answers to incoming SYNs won't get NATed by SNAT. If you want to NAT incoming SYNs, you need DNAT, not SNAT. This will then also NAT the SYN/ACK answers.






          share|improve this answer




























            up vote
            0
            down vote













            It happens, because when packet goes into oposite direction it's source is 10.b/24 and destination 10.a/24 which means, that it will not be handeled by your rule. You have to add two rules to make MASQUERADE happening:



            -t nat -A POSTROUTING -s 10.a.0.0/16 -d 10.b.0.0/16 -j MASQUERADE
            -t nat -A POSTROUTING -s 10.b.0.0/16 -d 10.a.0.0/16 -j MASQUERADE





            share|improve this answer





















            • in case 2, the conn initialized by subnet B. it's clear, but in the reply traffic packets' src address is still 10.a/16, so they should match by my masquerade rule. are not they? i suspect that masquerade module ignores packets in RELATED state, but this has to be confirmed.
              – bandie
              Nov 29 at 11:33











            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "106"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f484868%2fin-iptables-does-masquerade-match-only-on-new-connections-syn-packets%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            2
            down vote













            The identity of a TCP connection is defined by a set of four things:




            • the IP address of endpoint A

            • the IP address of endpoint B

            • the port number of endpoint A

            • the port number of endpoint B


            The TCP protocol standard says that if any of these four things are changed, the packet must not be considered part of the same connection. As a result, it makes no sense to start applying a NAT rule to a SYN/ACK packet if the initial SYN was also not NATted. You must either apply the same kind of NAT mapping for the entire connection from the start to finish, or not NAT it at all; any attempt to add or change a NAT mapping mid-connection will just cause the TCP connection to fail. This is a fundamental fact of the TCP protocol, and the Linux iptables/netfilter code is designed to take it into account.



            In your case 2), the SYN/ACK is preceded by a SYN from 10.b/16. That SYN has a source of 10.b/16, so it does not match the MASQUERADE rule and gets routed with addresses kept as-is. Then, if the SYN/ACK from 10.a/16 back to 10.b/16 would be translated, the sender of the original SYN would no longer recognize it as a response to its own SYN, as the source IP + destination IP + source port + destination port combination would be different from what is expected for a valid response.



            Essentially, the TCP protocol driver in the system that initiated the connection in 10.b/16 would then be thinking: "Sigh. The 10.a.connection.destination is not answering. And 10.b.NAT.system is bothering me with clearly spurious SYN/ACKs: I'm attempting to connect 10.a.connection.destination, not him. If I have time, I'll send a RST or two to 10.b.NAT.system; hopefully he realizes his mistake and stops bothering me."






            share|improve this answer





















            • it totally makes sense. knowning mechanism of NAT, I don't expect those syn/ack to be NATed. there's no malfunctioning in my cases. I only wish a credible statement that this is solely due to masquerade module and masquerade is smart enough and does take it into account. indeed it seems to do so.
              – bandie
              Nov 29 at 15:17















            up vote
            2
            down vote













            The identity of a TCP connection is defined by a set of four things:




            • the IP address of endpoint A

            • the IP address of endpoint B

            • the port number of endpoint A

            • the port number of endpoint B


            The TCP protocol standard says that if any of these four things are changed, the packet must not be considered part of the same connection. As a result, it makes no sense to start applying a NAT rule to a SYN/ACK packet if the initial SYN was also not NATted. You must either apply the same kind of NAT mapping for the entire connection from the start to finish, or not NAT it at all; any attempt to add or change a NAT mapping mid-connection will just cause the TCP connection to fail. This is a fundamental fact of the TCP protocol, and the Linux iptables/netfilter code is designed to take it into account.



            In your case 2), the SYN/ACK is preceded by a SYN from 10.b/16. That SYN has a source of 10.b/16, so it does not match the MASQUERADE rule and gets routed with addresses kept as-is. Then, if the SYN/ACK from 10.a/16 back to 10.b/16 would be translated, the sender of the original SYN would no longer recognize it as a response to its own SYN, as the source IP + destination IP + source port + destination port combination would be different from what is expected for a valid response.



            Essentially, the TCP protocol driver in the system that initiated the connection in 10.b/16 would then be thinking: "Sigh. The 10.a.connection.destination is not answering. And 10.b.NAT.system is bothering me with clearly spurious SYN/ACKs: I'm attempting to connect 10.a.connection.destination, not him. If I have time, I'll send a RST or two to 10.b.NAT.system; hopefully he realizes his mistake and stops bothering me."






            share|improve this answer





















            • it totally makes sense. knowning mechanism of NAT, I don't expect those syn/ack to be NATed. there's no malfunctioning in my cases. I only wish a credible statement that this is solely due to masquerade module and masquerade is smart enough and does take it into account. indeed it seems to do so.
              – bandie
              Nov 29 at 15:17













            up vote
            2
            down vote










            up vote
            2
            down vote









            The identity of a TCP connection is defined by a set of four things:




            • the IP address of endpoint A

            • the IP address of endpoint B

            • the port number of endpoint A

            • the port number of endpoint B


            The TCP protocol standard says that if any of these four things are changed, the packet must not be considered part of the same connection. As a result, it makes no sense to start applying a NAT rule to a SYN/ACK packet if the initial SYN was also not NATted. You must either apply the same kind of NAT mapping for the entire connection from the start to finish, or not NAT it at all; any attempt to add or change a NAT mapping mid-connection will just cause the TCP connection to fail. This is a fundamental fact of the TCP protocol, and the Linux iptables/netfilter code is designed to take it into account.



            In your case 2), the SYN/ACK is preceded by a SYN from 10.b/16. That SYN has a source of 10.b/16, so it does not match the MASQUERADE rule and gets routed with addresses kept as-is. Then, if the SYN/ACK from 10.a/16 back to 10.b/16 would be translated, the sender of the original SYN would no longer recognize it as a response to its own SYN, as the source IP + destination IP + source port + destination port combination would be different from what is expected for a valid response.



            Essentially, the TCP protocol driver in the system that initiated the connection in 10.b/16 would then be thinking: "Sigh. The 10.a.connection.destination is not answering. And 10.b.NAT.system is bothering me with clearly spurious SYN/ACKs: I'm attempting to connect 10.a.connection.destination, not him. If I have time, I'll send a RST or two to 10.b.NAT.system; hopefully he realizes his mistake and stops bothering me."






            share|improve this answer












            The identity of a TCP connection is defined by a set of four things:




            • the IP address of endpoint A

            • the IP address of endpoint B

            • the port number of endpoint A

            • the port number of endpoint B


            The TCP protocol standard says that if any of these four things are changed, the packet must not be considered part of the same connection. As a result, it makes no sense to start applying a NAT rule to a SYN/ACK packet if the initial SYN was also not NATted. You must either apply the same kind of NAT mapping for the entire connection from the start to finish, or not NAT it at all; any attempt to add or change a NAT mapping mid-connection will just cause the TCP connection to fail. This is a fundamental fact of the TCP protocol, and the Linux iptables/netfilter code is designed to take it into account.



            In your case 2), the SYN/ACK is preceded by a SYN from 10.b/16. That SYN has a source of 10.b/16, so it does not match the MASQUERADE rule and gets routed with addresses kept as-is. Then, if the SYN/ACK from 10.a/16 back to 10.b/16 would be translated, the sender of the original SYN would no longer recognize it as a response to its own SYN, as the source IP + destination IP + source port + destination port combination would be different from what is expected for a valid response.



            Essentially, the TCP protocol driver in the system that initiated the connection in 10.b/16 would then be thinking: "Sigh. The 10.a.connection.destination is not answering. And 10.b.NAT.system is bothering me with clearly spurious SYN/ACKs: I'm attempting to connect 10.a.connection.destination, not him. If I have time, I'll send a RST or two to 10.b.NAT.system; hopefully he realizes his mistake and stops bothering me."







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Nov 29 at 11:55









            telcoM

            15.2k12143




            15.2k12143












            • it totally makes sense. knowning mechanism of NAT, I don't expect those syn/ack to be NATed. there's no malfunctioning in my cases. I only wish a credible statement that this is solely due to masquerade module and masquerade is smart enough and does take it into account. indeed it seems to do so.
              – bandie
              Nov 29 at 15:17


















            • it totally makes sense. knowning mechanism of NAT, I don't expect those syn/ack to be NATed. there's no malfunctioning in my cases. I only wish a credible statement that this is solely due to masquerade module and masquerade is smart enough and does take it into account. indeed it seems to do so.
              – bandie
              Nov 29 at 15:17
















            it totally makes sense. knowning mechanism of NAT, I don't expect those syn/ack to be NATed. there's no malfunctioning in my cases. I only wish a credible statement that this is solely due to masquerade module and masquerade is smart enough and does take it into account. indeed it seems to do so.
            – bandie
            Nov 29 at 15:17




            it totally makes sense. knowning mechanism of NAT, I don't expect those syn/ack to be NATed. there's no malfunctioning in my cases. I only wish a credible statement that this is solely due to masquerade module and masquerade is smart enough and does take it into account. indeed it seems to do so.
            – bandie
            Nov 29 at 15:17












            up vote
            1
            down vote













            MASQUERADE is just SNAT (source NAT) with the source of the outgoing interface (see man iptables-extensions.



            The connection attempt (the initial SYN) is NATed, and then the connection is tracked in the kernel ("conntrack"), and all packets in this connection are NATed in the appropriate direction.



            So yes, outgoing SYN/ACK answers to incoming SYNs won't get NATed by SNAT. If you want to NAT incoming SYNs, you need DNAT, not SNAT. This will then also NAT the SYN/ACK answers.






            share|improve this answer

























              up vote
              1
              down vote













              MASQUERADE is just SNAT (source NAT) with the source of the outgoing interface (see man iptables-extensions.



              The connection attempt (the initial SYN) is NATed, and then the connection is tracked in the kernel ("conntrack"), and all packets in this connection are NATed in the appropriate direction.



              So yes, outgoing SYN/ACK answers to incoming SYNs won't get NATed by SNAT. If you want to NAT incoming SYNs, you need DNAT, not SNAT. This will then also NAT the SYN/ACK answers.






              share|improve this answer























                up vote
                1
                down vote










                up vote
                1
                down vote









                MASQUERADE is just SNAT (source NAT) with the source of the outgoing interface (see man iptables-extensions.



                The connection attempt (the initial SYN) is NATed, and then the connection is tracked in the kernel ("conntrack"), and all packets in this connection are NATed in the appropriate direction.



                So yes, outgoing SYN/ACK answers to incoming SYNs won't get NATed by SNAT. If you want to NAT incoming SYNs, you need DNAT, not SNAT. This will then also NAT the SYN/ACK answers.






                share|improve this answer












                MASQUERADE is just SNAT (source NAT) with the source of the outgoing interface (see man iptables-extensions.



                The connection attempt (the initial SYN) is NATed, and then the connection is tracked in the kernel ("conntrack"), and all packets in this connection are NATed in the appropriate direction.



                So yes, outgoing SYN/ACK answers to incoming SYNs won't get NATed by SNAT. If you want to NAT incoming SYNs, you need DNAT, not SNAT. This will then also NAT the SYN/ACK answers.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 29 at 16:10









                dirkt

                16.4k21335




                16.4k21335






















                    up vote
                    0
                    down vote













                    It happens, because when packet goes into oposite direction it's source is 10.b/24 and destination 10.a/24 which means, that it will not be handeled by your rule. You have to add two rules to make MASQUERADE happening:



                    -t nat -A POSTROUTING -s 10.a.0.0/16 -d 10.b.0.0/16 -j MASQUERADE
                    -t nat -A POSTROUTING -s 10.b.0.0/16 -d 10.a.0.0/16 -j MASQUERADE





                    share|improve this answer





















                    • in case 2, the conn initialized by subnet B. it's clear, but in the reply traffic packets' src address is still 10.a/16, so they should match by my masquerade rule. are not they? i suspect that masquerade module ignores packets in RELATED state, but this has to be confirmed.
                      – bandie
                      Nov 29 at 11:33















                    up vote
                    0
                    down vote













                    It happens, because when packet goes into oposite direction it's source is 10.b/24 and destination 10.a/24 which means, that it will not be handeled by your rule. You have to add two rules to make MASQUERADE happening:



                    -t nat -A POSTROUTING -s 10.a.0.0/16 -d 10.b.0.0/16 -j MASQUERADE
                    -t nat -A POSTROUTING -s 10.b.0.0/16 -d 10.a.0.0/16 -j MASQUERADE





                    share|improve this answer





















                    • in case 2, the conn initialized by subnet B. it's clear, but in the reply traffic packets' src address is still 10.a/16, so they should match by my masquerade rule. are not they? i suspect that masquerade module ignores packets in RELATED state, but this has to be confirmed.
                      – bandie
                      Nov 29 at 11:33













                    up vote
                    0
                    down vote










                    up vote
                    0
                    down vote









                    It happens, because when packet goes into oposite direction it's source is 10.b/24 and destination 10.a/24 which means, that it will not be handeled by your rule. You have to add two rules to make MASQUERADE happening:



                    -t nat -A POSTROUTING -s 10.a.0.0/16 -d 10.b.0.0/16 -j MASQUERADE
                    -t nat -A POSTROUTING -s 10.b.0.0/16 -d 10.a.0.0/16 -j MASQUERADE





                    share|improve this answer












                    It happens, because when packet goes into oposite direction it's source is 10.b/24 and destination 10.a/24 which means, that it will not be handeled by your rule. You have to add two rules to make MASQUERADE happening:



                    -t nat -A POSTROUTING -s 10.a.0.0/16 -d 10.b.0.0/16 -j MASQUERADE
                    -t nat -A POSTROUTING -s 10.b.0.0/16 -d 10.a.0.0/16 -j MASQUERADE






                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Nov 29 at 10:50









                    Alexander

                    1,016113




                    1,016113












                    • in case 2, the conn initialized by subnet B. it's clear, but in the reply traffic packets' src address is still 10.a/16, so they should match by my masquerade rule. are not they? i suspect that masquerade module ignores packets in RELATED state, but this has to be confirmed.
                      – bandie
                      Nov 29 at 11:33


















                    • in case 2, the conn initialized by subnet B. it's clear, but in the reply traffic packets' src address is still 10.a/16, so they should match by my masquerade rule. are not they? i suspect that masquerade module ignores packets in RELATED state, but this has to be confirmed.
                      – bandie
                      Nov 29 at 11:33
















                    in case 2, the conn initialized by subnet B. it's clear, but in the reply traffic packets' src address is still 10.a/16, so they should match by my masquerade rule. are not they? i suspect that masquerade module ignores packets in RELATED state, but this has to be confirmed.
                    – bandie
                    Nov 29 at 11:33




                    in case 2, the conn initialized by subnet B. it's clear, but in the reply traffic packets' src address is still 10.a/16, so they should match by my masquerade rule. are not they? i suspect that masquerade module ignores packets in RELATED state, but this has to be confirmed.
                    – bandie
                    Nov 29 at 11:33


















                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Unix & Linux Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f484868%2fin-iptables-does-masquerade-match-only-on-new-connections-syn-packets%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Morgemoulin

                    Scott Moir

                    Souastre