Varying source address and stateful firewalls (Was: Multiple Endpoints)

em12345 em12345 at
Tue Jan 10 01:33:29 CET 2017

Hi Baptiste,

after seeing

I realized that the connection tracking with its state calculation and
the SNAT port mapping are two different things which don't have to
follow the same rules related to src/dst IP and ports.

This could be an explanation why Jason tested the NATed whole punching
successful with different src IPs, while your example failed.

The iptables connection tracking really does include src and dst IP
according to:

So iptables ESTABLISHED filter rules require the src,dst and both ports.

But may be the iptables NAT port mapping does not require this. The
iptables man page is vague on MASQUERADE and SNAT target.

Anyway, only packets with an existing port mapping (however this is
determined) will make it into the FORWARD chain from WAN to LAN interface.
Therefore it would not really be necessary to check for ESTABLISHED in
the FORWARD chain for those WAN-to-LAN packets. Assuming that there are
really showing up such NEW packets.

However in your example which is only using the INPUT chain, one of
course has to filter out the NEW packets here.


More information about the WireGuard mailing list