Mailing List Archive

Setup of different types of NAT
Hello everyone

I want to know *how to* setup this types of NAT:
/-Full Cone NAT/
/-Restricted Cone NAT/
/-Port Restricted Cone NAT/
/-Symmetric NAT/

Using iptables, I set all policies to "ACCEPT" and I was able to setup
two kinds of NAT:
(192.168.2.170 is my "public" address and 10.0.0.1 is my "private" address

/-"Full Cone NAT", with the following rules:/
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.170
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 10.0.0.1


/-"Port Restricted Cone NAT", with just a single rule:/
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.170/

/
Now does anyone know how to setup Restricted Cone NAT and Symmetric NAT?

Thanks in advance
Pedro
//
Re: Setup of different types of NAT [ In reply to ]
Hi Pedro,
what is Cone? Some abbervation or what else ?
Please for clearability describe what you want achieve
using NAT?

Regards

Elvir Kuric

--- Pedro Gonçalves <pedro.pandre@gmail.com> wrote:

> Hello everyone
>
> I want to know *how to* setup this types of NAT:
> /-Full Cone NAT/
> /-Restricted Cone NAT/
> /-Port Restricted Cone NAT/
> /-Symmetric NAT/
>
> Using iptables, I set all policies to "ACCEPT" and I
> was able to setup
> two kinds of NAT:
> (192.168.2.170 is my "public" address and 10.0.0.1
> is my "private" address
>
> /-"Full Cone NAT", with the following rules:/
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT
> --to-source 192.168.2.170
> iptables -t nat -A PREROUTING -i eth0 -j DNAT
> --to-destination 10.0.0.1
>
>
> /-"Port Restricted Cone NAT", with just a single
> rule:/
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT
> --to-source 192.168.2.170/
>
> /
> Now does anyone know how to setup Restricted Cone
> NAT and Symmetric NAT?
>
> Thanks in advance
> Pedro
> //
>
>


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Re: Setup of different types of NAT [ In reply to ]
Hi Elvir

Sorry if the terms I used are not familiar to everyone.
The types of NAT I am talking about are defined by STUN RFC 3489
(http://www.faqs.org/rfcs/rfc3489.html, section 5):
(...)

Full Cone: A full cone NAT is one where all requests from the
same internal IP address and port are mapped to the same external
IP address and port. Furthermore, any external host can send a
packet to the internal host, by sending a packet to the mapped
external address.

Restricted Cone: A restricted cone NAT is one where all requests
from the same internal IP address and port are mapped to the same
external IP address and port. Unlike a full cone NAT, an external
host (with IP address X) can send a packet to the internal host
only if the internal host had previously sent a packet to IP
address X.

Port Restricted Cone: A port restricted cone NAT is like a
restricted cone NAT, but the restriction includes port numbers.
Specifically, an external host can send a packet, with source IP
address X and source port P, to the internal host only if the
internal host had previously sent a packet to IP address X and
port P.

Symmetric: A symmetric NAT is one where all requests from the
same internal IP address and port, to a specific destination IP
address and port, are mapped to the same external IP address and
port. If the same host sends a packet with the same source
address and port, but to a different destination, a different
mapping is used. Furthermore, only the external host that
receives a packet can send a UDP packet back to the internal host.

(...)

I just want to know how to setup Symmetric NAT

Thanks in advance
Pedro


Elvir Kuric wrote:
> Hi Pedro,
> what is Cone? Some abbervation or what else ?
> Please for clearability describe what you want achieve
> using NAT?
>
> Regards
>
> Elvir Kuric
>
> --- Pedro Gonçalves <pedro.pandre@gmail.com> wrote:
>
>
>> Hello everyone
>>
>> I want to know *how to* setup this types of NAT:
>> /-Full Cone NAT/
>> /-Restricted Cone NAT/
>> /-Port Restricted Cone NAT/
>> /-Symmetric NAT/
>>
>> Using iptables, I set all policies to "ACCEPT" and I
>> was able to setup
>> two kinds of NAT:
>> (192.168.2.170 is my "public" address and 10.0.0.1
>> is my "private" address
>>
>> /-"Full Cone NAT", with the following rules:/
>> iptables -t nat -A POSTROUTING -o eth0 -j SNAT
>> --to-source 192.168.2.170
>> iptables -t nat -A PREROUTING -i eth0 -j DNAT
>> --to-destination 10.0.0.1
>>
>>
>> /-"Port Restricted Cone NAT", with just a single
>> rule:/
>> iptables -t nat -A POSTROUTING -o eth0 -j SNAT
>> --to-source 192.168.2.170/
>>
>> /
>> Now does anyone know how to setup Restricted Cone
>> NAT and Symmetric NAT?
>>
>> Thanks in advance
>> Pedro
>> //
>>
>>
>>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
>
Re: Setup of different types of NAT [ In reply to ]
> Symmetric: A symmetric NAT is one where all requests from the
> same internal IP address and port, to a specific destination IP
> address and port, are mapped to the same external IP address and
> port. If the same host sends a packet with the same source
> address and port, but to a different destination, a different
> mapping is used. Furthermore, only the external host that
> receives a packet can send a UDP packet back to the internal host.
>
> (...)
>
> I just want to know how to setup Symmetric NAT
>
U can setup that symmetric as follow:

iptables -t nat -A POSTROUTING -p udp -s x.x.x.x --sport aaaa -d
y.y.y.y --dport bbbb -j snat --to-source z.z.z.z
iptables -t nat -A POSTROUTING -p udp -s x.x.x.x --sport aaaa -d
0.0.0.0 --dport bbbb -j MASQUERADE



I think that these two rules can make the service that u want to.

At your own taste and requirements u can specify or not the source
port and destination port.

If u do not specify that, the translation will occurs for all ports,
but keeping your idea of one translation specific for one specific
destination and another for other destinations.



Denis Anjos.


2007/4/19, Pedro Gonçalves <pedro.pandre@gmail.com>:
> Hi Elvir
>
> Sorry if the terms I used are not familiar to everyone.
> The types of NAT I am talking about are defined by STUN RFC 3489
> (http://www.faqs.org/rfcs/rfc3489.html, section 5):
> (...)
>
> Full Cone: A full cone NAT is one where all requests from the
> same internal IP address and port are mapped to the same external
> IP address and port. Furthermore, any external host can send a
> packet to the internal host, by sending a packet to the mapped
> external address.
>
> Restricted Cone: A restricted cone NAT is one where all requests
> from the same internal IP address and port are mapped to the same
> external IP address and port. Unlike a full cone NAT, an external
> host (with IP address X) can send a packet to the internal host
> only if the internal host had previously sent a packet to IP
> address X.
>
> Port Restricted Cone: A port restricted cone NAT is like a
> restricted cone NAT, but the restriction includes port numbers.
> Specifically, an external host can send a packet, with source IP
> address X and source port P, to the internal host only if the
> internal host had previously sent a packet to IP address X and
> port P.
>
> Symmetric: A symmetric NAT is one where all requests from the
> same internal IP address and port, to a specific destination IP
> address and port, are mapped to the same external IP address and
> port. If the same host sends a packet with the same source
> address and port, but to a different destination, a different
> mapping is used. Furthermore, only the external host that
> receives a packet can send a UDP packet back to the internal host.
>
> (...)
>
> I just want to know how to setup Symmetric NAT
>
> Thanks in advance
> Pedro
>
>
> Elvir Kuric wrote:
> > Hi Pedro,
> > what is Cone? Some abbervation or what else ?
> > Please for clearability describe what you want achieve
> > using NAT?
> >
> > Regards
> >
> > Elvir Kuric
> >
> > --- Pedro Gonçalves <pedro.pandre@gmail.com> wrote:
> >
> >
> >> Hello everyone
> >>
> >> I want to know *how to* setup this types of NAT:
> >> /-Full Cone NAT/
> >> /-Restricted Cone NAT/
> >> /-Port Restricted Cone NAT/
> >> /-Symmetric NAT/
> >>
> >> Using iptables, I set all policies to "ACCEPT" and I
> >> was able to setup
> >> two kinds of NAT:
> >> (192.168.2.170 is my "public" address and 10.0.0.1
> >> is my "private" address
> >>
> >> /-"Full Cone NAT", with the following rules:/
> >> iptables -t nat -A POSTROUTING -o eth0 -j SNAT
> >> --to-source 192.168.2.170
> >> iptables -t nat -A PREROUTING -i eth0 -j DNAT
> >> --to-destination 10.0.0.1
> >>
> >>
> >> /-"Port Restricted Cone NAT", with just a single
> >> rule:/
> >> iptables -t nat -A POSTROUTING -o eth0 -j SNAT
> >> --to-source 192.168.2.170/
> >>
> >> /
> >> Now does anyone know how to setup Restricted Cone
> >> NAT and Symmetric NAT?
> >>
> >> Thanks in advance
> >> Pedro
> >> //
> >>
> >>
> >>
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> >
>
>
>
Re: Setup of different types of NAT [ In reply to ]
Hello,

Pedro Gonçalves a écrit :
>
> I want to know *how to* setup this types of NAT:
> /-Full Cone NAT/
> /-Restricted Cone NAT/
> /-Port Restricted Cone NAT/
> /-Symmetric NAT/

Again ? I thought I already answered the last time you asked.

> Using iptables, I set all policies to "ACCEPT" and I was able to setup
> two kinds of NAT:
> (192.168.2.170 is my "public" address and 10.0.0.1 is my "private" address
[...]
> /-"Port Restricted Cone NAT", with just a single rule:/
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.170/

This is "symmetric NAT", not "restricted cone NAT".

> Now does anyone know how to setup Restricted Cone NAT and Symmetric NAT?

AFAIK, you cannot do "restricted cone NAT" nor "port restricted cone
NAT" with the stock Netfilter/iptables. It would require dedicated
conntrack and NAT helper modules.
Re: Setup of different types of NAT [ In reply to ]
>> I want to know *how to* setup this types of NAT:
>> /-Full Cone NAT/
>> /-Restricted Cone NAT/
>> /-Port Restricted Cone NAT/
>> /-Symmetric NAT/
>
> Again ? I thought I already answered the last time you asked.
I couldn't solve the problem with the help you gave, so I had to try it
once again.
Besides, the last time I talked about types of NAT some people said it
was possible to create those NATs, others said it was impossible, but no
one told *how to* implement any kind of NAT.

>> Using iptables, I set all policies to "ACCEPT" and I was able to
>> setup two kinds of NAT:
>> (192.168.2.170 is my "public" address and 10.0.0.1 is my "private"
>> address
> [...]
>> /-"Port Restricted Cone NAT", with just a single rule:/
>> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
>> 192.168.2.170/
>
> This is "symmetric NAT", not "restricted cone NAT".
At least with the version of Iptables I have (1.3.0), all STUN clients I
tried told me that it was a "Port Restricted Cone NAT"

>
>> Now does anyone know how to setup Restricted Cone NAT and Symmetric NAT?
>
> AFAIK, you cannot do "restricted cone NAT" nor "port restricted cone
> NAT" with the stock Netfilter/iptables. It would require dedicated
> conntrack and NAT helper modules.
At least with the version of Iptables I have (1.3.0), I can implement
"Port Restricted Cone NAT" with just one rule and I can implement an
"hardcoded" "Restricted Cone NAT" (I say it's hardcoded because It only
works for one host behind NAT).

So, as you can see, we disagree in our opinions.
However, if you want to test your NAT types with STUN, I recommend
JSTUN's client (http://jstun.javawi.de/).

Best Regards
Pedro