dieguich

Hi everybody,

This is my first post in the linux forum.
I hope you can help me:

I use iptables rules to manage the connections from internet to my local network. I know how to filter, do nat, etc...
But this days I'm trying to do NAT in connections that are already established. The problem is (as far as I know) the packets which pass throught the nat table are only the SYN packets (once), thus, the packets that are used to perform a NEW connection.
After that the connection is created, the maintenance and the resolution of the SNAT and DNAT are kept till the connection finish.
What I'm wondering is: how can I change the ports or IPs of an already established connection if my packets just go throught the nat table at the connection time?

• Maybe doing packets' replication since those ones are redirected to annother machine?

NAT TCP Extensions??Patch-O-Matic --> window-tracking??

• I read this in http://svn.gnumonks.org/trunk/netfil...ls/doc/nat.txt
  - NEW (and RELATED non-icmp)
  This is a very important part relevant for understanding the whole NAT
  subsystem. Only if the packet has the state NEW (i.e. it would establish
  a new connection, if we'd accept it), the NAT table is traversed by
  calling ip_nat_rule.c:ip_nat_rule_find(), which in turn calls
  ip_tables.c:ipt_do_table() for the actual IP table traversal. The traversal
  ends up in either ACCEPTing the packet as it is, or one of the nat targets
  (SNAT, DNAT and if loaded: REDIRECT, MASQUERADE) Please see
  chapter FIXME for further description of those targets.
  
  - ESTABLISHED
  This packet belongs to an already established connection. We don't need
  to traverse the NAT table again, as the necessary information
  (struct ip_nat_info) was already gained as the first packet of this
  connection entered the NEW case above. We just use what's in
  the struct ip_conntrack.nat.info.

thank you very much in advance.
Diego.