Hi,
played today with NAT. Are my assumptions correct:
- NAT-Rules match only against connection-state New packets? Thats maybe the reason there is no connection-state matcher within NAT-rules?
- user-defined NAT-Rules are applied only on the initial way to the destination, not on the returing packets (the "NAT-undo-operation" during conn-tracking is not user-editable)?
- When exposing a LAN-server to the WAN via a DNAT-rule, it matches only this DNAT-rule. The general SNAT-rule (for all LAN-to-WAN traffic) does NOT match, because then a user-defined NAT-Rule would match agianst a returning packet.
I tried if I can "fool" NAT: I created a RAW-rule to "no track" the frames to the server and catch the returning Frames with a NAT rule. I testet with plain HTTP, and HTTP worked as I thought (this NAT-rule matched against the retunring packets). But not for the inital SYN+ACK. The TCP-handshake was not NAT-treated even with the RAW-no-track-rule. It seems there still some "Magic" between.