RE: [SLUG] How do I see iptables NAT table?

• Next message: Patrick Grantham: "Re: [SLUG] Web server setup help"
• Previous message: Mark: "Re: [SLUG] Web server setup help"
• In reply to: Greg Schmidt: "Re: [SLUG] How do I see iptables NAT table?"
• Next in thread: Derek Glidden: "RE: [SLUG] How do I see iptables NAT table?"
• Reply: Derek Glidden: "RE: [SLUG] How do I see iptables NAT table?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

LOL, I answered your question in the same way yesterday, before I realized
what you were really asking. Too bad both of my messages came from the
wrong account.

If you have the /proc filesystem enabled, the file /proc/net/ip_conntrack is
what you're looking for. Keep in mind that this file shows all tracked
connections, not just the NATed ones. The address list is quite different
from the Cisco one you have. The first src/dst address pair are the
original request (no NAT addresses), and the second is where the expected
future connections will go (after NAT). Here's a snip from a connection
someone made to my internal webserver. This is all one line:

tcp 6 262996 ESTABLISHED src=208.238.142.23 dst=65.35.xx.xx sport=1987
dport=80 /
src=192.168.xx.xx dst=208.238.142.23 sport=80 dport=1987 [ASSURED] use=1

Note that the file has no concept of "internal" or "external". The original
connection comes first, and the original reply second; i.e. for TCP, the
<SYN> is first, and the <SYN,ACK> is listed second. From that point on, any
communication on that established connection is tracked and NATed based on
the single listing above. Am I making any sense? It's too early in the
morning for me. :)

-Ken

-----Original Message-----
From: slug@lists.nks.net [mailto:slug@lists.nks.net]On Behalf Of Greg
Schmidt
Sent: Thursday, December 13, 2001 05:34 AM
To: slug@nks.net
Subject: Re: [SLUG] How do I see iptables NAT table?

You answered the question I asked. That is indeed how to see the nat table,
but I asked the wrong question. Let me try again.

For instance, on a Cisco router I can type "sh ip nat tr" for "SHow me the
IP
NAT TRanslation table" (more generic use of the word table), and it spits to
the console something like:
Pro Inside global Inside local Outside local Outside global
tcp 65.35.x.x:2679 192.168.250.33:2624 207.46.x.x:80 207.46.x.x:80
udp 65.35.x.x:64012 192.168.250.20:64012 192.112.x.x:53 192.112.x.x:53

The above list can get pretty long, not just two lines. But it shows the
"table" of translations, addy for addy, port for port, that it is making to
be able to do NAT.

Can I get similar information out of my Linux box?

• Next message: Patrick Grantham: "Re: [SLUG] Web server setup help"
• Previous message: Mark: "Re: [SLUG] Web server setup help"
• In reply to: Greg Schmidt: "Re: [SLUG] How do I see iptables NAT table?"
• Next in thread: Derek Glidden: "RE: [SLUG] How do I see iptables NAT table?"
• Reply: Derek Glidden: "RE: [SLUG] How do I see iptables NAT table?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:12:24 EDT