Thank you very much, I think that last statement really got through to the heart of what I was trying to understand.
I also looked back through the docs and realized that I was misunderstanding the definition of connection-nat-state; It is flagged with srcnat/dstnat based on direction of the first packet, so even in my “implicit dstnat via masquerading” scenario, it would have been tagged with srcnat first and maintained that flag for the rest of the connection, regardless of how the packets are routed back to the client.
To summarize then, the only time the dstnat flag is set is when routing for explicit dstnat rules. It is convenient to have in this default rule because in the event that dstnat rules are setup (for port forwarding for example), the rule already accepts the connection. The added benefit is that in the event that rogue traffic is sent to the routers WAN IP which is not destined for the router itself, it will be dropped after being routed to the forward chain.
Thank you everyone who had feedback and clarification!
ie. in the event that dstnat has been tagged on a connection, it was as a result of an deliberate action the admin made. connection-nat-state=!dstnat may not be applicable now but it might be later in the event that you setup port forwarding, in which case this rule is already configured to allow it.dstnat rules don't just come out of thin air - the administrator must have configured it
I also looked back through the docs and realized that I was misunderstanding the definition of connection-nat-state; It is flagged with srcnat/dstnat based on direction of the first packet, so even in my “implicit dstnat via masquerading” scenario, it would have been tagged with srcnat first and maintained that flag for the rest of the connection, regardless of how the packets are routed back to the client.
To summarize then, the only time the dstnat flag is set is when routing for explicit dstnat rules. It is convenient to have in this default rule because in the event that dstnat rules are setup (for port forwarding for example), the rule already accepts the connection. The added benefit is that in the event that rogue traffic is sent to the routers WAN IP which is not destined for the router itself, it will be dropped after being routed to the forward chain.
Thank you everyone who had feedback and clarification!
Statistics: Posted by calloq — Wed Mar 26, 2025 9:48 am