Friday, July 25, 2014

How to confirm that SNAT and MASQUERADE are using conntrack table to replace the destination IP address of the reply packet

How to confirm that SNAT and MASQUERADE are using conntrack table to replace the destination IP address of the reply packet

http://superuser.com/questions/255705/internal-working-of-rules-in-forward-chain-for-nat

http://conntrack-tools.netfilter.org/conntrack.html

1)
This MASQUERADE target rule performs Source NAT: It replaces the source address of exiting packets from 192.168.1.xxx to your public IP address, while at the same time recording the details of the NAT in the router's conntrack (connection tracking) table.

Because the details of the NAT is recorded, reply packets from the Internet will be checked against that table. If the reply matches a conntrack entry, the packet will experience an 'inverse NAT' (my term), i.e., replacing the destination address (remember, this is a reply!) with the original sender's address (192.168.1.xxx)

2)
Install conntrack

#sudo apt-get install conntrack
http://conntrack-tools.netfilter.org/conntrack.html

3)
Some conntrack commands

a)
Flush conntrack table

#sudo conntrack -F

b)
Dump source NAT connection

#sudo conntrack -L --src-nat

c)
Display a real-time event log

#sudo conntrack -F

d)
List connection tacking table

#sudo conntrack -L

4)
How to see entries in the connection tacking table for the NAT
a)
Add the SNAT target rule

#sudo iptables -t nat -A POSTROUTING -p icmp --dst 173.194.127.147 -j SNAT --to-source 10.0.2.15
OR
Add the MASQUERADE target rule
#sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

b)
ping to the destination IP

#sudo ip netns exec myns1 ping 173.194.127.147

c)
Dump source NAT connection

#sudo conntrack -L --src-nat

5)
How to confirm that, SNAT and MASQUERADE are using conntrack table to replace the destination IP address of the reply packet


a)
ping to the destination IP

#sudo ip netns exec myns1 ping 173.194.127.147

b)
Flush the conntrack table

#sudo conntrack -F
* Run this command continuously

c)
Capture the packet from the interface that come before the Nated interface

#sudo tshark -i veth0 icmp

* Here you can see that reply packets for some request packets are missing.
* See attached sreenshot. There we can't see the reply packets for the request packets 16 and 17.




No comments:

Post a Comment