PAT 
===
===

TCP
==

PC is in a private LAN
R does PAT

PC1 wants to reach an external server SRV at port 22
PC2 wants to reach the same external server SRV at port 22

By "coincidence" PC1 and PC2 choose the same srcPort -> PAT is not affected

Link		srcIP	srcPort		dstIP	dstPort
---------------------------------------------------------------
PC1 - R	PC1	PCsrcPort (>1023)	SRV	22
R - SRV	R	RsrcPort1 (>1023)	SRV	22
SRV - R	SRV	22			R	RsrcPort1
R - PC1	SRV	22			PC1	PCsrcPort

PC2 - R	PC2	PCsrcPort (>1023)	SRV	22
R - SRV	R	RsrcPort2 (>1023)	SRV	22
SRV - R	SRV	22			R	RsrcPort2
R - PC2	SRV	22			PC2	PCsrcPort

Example
-------
Setting: in this case the IPs of the block 10/8 are routable/legitimate and 172.29.0.0/24 is the block to be natted natted (i.e. cannot be routed in the 10/8 network)
	IP		dport	sport
SRV 	10.138.57.246	22
R	10.139.40.20
PC1	172.29.0.2		2345
PC2	172.29.0.3		2345

## To force the source port the following command can be used (PCsrcPort=2345):
ssh -o 'ProxyCommand nc -p 2345 %h %p' user@10.138.57.246

Router:~$ conntrack -E --src-nat
    [NEW] tcp      6 120 SYN_SENT src=172.29.0.2 dst=10.138.57.246 sport=2345 dport=22 [UNREPLIED] src=10.138.57.246 dst=10.139.40.20 sport=22 dport=2345		## PC1 starts ssh (2345 is kept)
 [UPDATE] tcp      6 60 SYN_RECV src=172.29.0.2 dst=10.138.57.246 sport=2345 dport=22 src=10.138.57.246 dst=10.139.40.20 sport=22 dport=2345
 [UPDATE] tcp      6 432000 ESTABLISHED src=172.29.0.2 dst=10.138.57.246 sport=2345 dport=22 src=10.138.57.246 dst=10.139.40.20 sport=22 dport=2345 [ASSURED]
    [NEW] tcp      6 120 SYN_SENT src=172.29.0.3 dst=10.138.57.246 sport=2345 dport=22 [UNREPLIED] src=10.138.57.246 dst=10.139.40.20 sport=22 dport=32830	## PC2 starts ssh (2345 is mapped to 32830)
 [UPDATE] tcp      6 60 SYN_RECV src=172.29.0.3 dst=10.138.57.246 sport=2345 dport=22 src=10.138.57.246 dst=10.139.40.20 sport=22 dport=32830
 [UPDATE] tcp      6 432000 ESTABLISHED src=172.29.0.3 dst=10.138.57.246 sport=2345 dport=22 src=10.138.57.246 dst=10.139.40.20 sport=22 dport=32830 [ASSURED]
 [UPDATE] tcp      6 120 FIN_WAIT src=172.29.0.2 dst=10.138.57.246 sport=2345 dport=22 src=10.138.57.246 dst=10.139.40.20 sport=22 dport=2345 [ASSURED]
 [UPDATE] tcp      6 60 CLOSE_WAIT src=172.29.0.2 dst=10.138.57.246 sport=2345 dport=22 src=10.138.57.246 dst=10.139.40.20 sport=22 dport=2345 [ASSURED]
 [UPDATE] tcp      6 120 FIN_WAIT src=172.29.0.3 dst=10.138.57.246 sport=2345 dport=22 src=10.138.57.246 dst=10.139.40.20 sport=22 dport=32830 [ASSURED]
 [UPDATE] tcp      6 60 CLOSE_WAIT src=172.29.0.3 dst=10.138.57.246 sport=2345 dport=22 src=10.138.57.246 dst=10.139.40.20 sport=22 dport=32830 [ASSURED]
 [UPDATE] tcp      6 30 LAST_ACK src=172.29.0.2 dst=10.138.57.246 sport=2345 dport=22 src=10.138.57.246 dst=10.139.40.20 sport=22 dport=2345 [ASSURED]
 [UPDATE] tcp      6 10 CLOSE src=172.29.0.2 dst=10.138.57.246 sport=2345 dport=22 src=10.138.57.246 dst=10.139.40.20 sport=22 dport=2345 [ASSURED]
 [UPDATE] tcp      6 30 LAST_ACK src=172.29.0.3 dst=10.138.57.246 sport=2345 dport=22 src=10.138.57.246 dst=10.139.40.20 sport=22 dport=32830 [ASSURED]
 [UPDATE] tcp      6 10 CLOSE src=172.29.0.3 dst=10.138.57.246 sport=2345 dport=22 src=10.138.57.246 dst=10.139.40.20 sport=22 dport=32830 [ASSURED]
[DESTROY] tcp      6 CLOSE src=172.29.0.2 dst=10.138.57.246 sport=2345 dport=22 src=10.138.57.246 dst=10.139.40.20 sport=22 dport=2345 [ASSURED]
[DESTROY] tcp      6 CLOSE src=172.29.0.3 dst=10.138.57.246 sport=2345 dport=22 src=10.138.57.246 dst=10.139.40.20 sport=22 dport=32830 [ASSURED]

Router:~$ conntrack -E --dst-nat		## Reminds empty

ICMP
====

PC1 wants to ping an external server SRV
PC2 wants to reach the same external server SRV

PAT is still possible due to a specific technique used: Query ID

Example
-------

Router:~$ sudo conntrack -E --dst-nat
    [NEW] icmp     1 30 src=172.29.0.2 dst=1.1.1.1 type=8 code=0 id=23 [UNREPLIED] src=1.1.1.1 dst=10.139.40.20 type=0 code=0 id=23	## PC1 starts ping (id023)
 [UPDATE] icmp     1 30 src=172.29.0.2 dst=1.1.1.1 type=8 code=0 id=23 src=1.1.1.1 dst=10.139.40.20 type=0 code=0 id=23			## PC1 keeps ping
    [NEW] icmp     1 30 src=172.29.0.3 dst=1.1.1.1 type=8 code=0 id=25 [UNREPLIED] src=1.1.1.1 dst=10.139.40.20 type=0 code=0 id=25	## PC2 starts ping (id=25)
 [UPDATE] icmp     1 30 src=172.29.0.3 dst=1.1.1.1 type=8 code=0 id=25 src=1.1.1.1 dst=10.139.40.20 type=0 code=0 id=25			## PC2 keeps ping
[DESTROY] icmp     1 src=172.29.0.2 dst=1.1.1.1 type=8 code=0 id=23 src=1.1.1.1 dst=10.139.40.20 type=0 code=0 id=23			## PC1 stopped ping few secs ago
[DESTROY] icmp     1 src=172.29.0.3 dst=1.1.1.1 type=8 code=0 id=25 src=1.1.1.1 dst=10.139.40.20 type=0 code=0 id=25			## PC1 stopped ping few secs ago

Router:~$ sudo conntrack -E --src-nat		## Exactly the same as --dst-nat
[sudo] password for roger: 
    [NEW] icmp     1 30 src=172.29.0.2 dst=1.1.1.1 type=8 code=0 id=23 [UNREPLIED] src=1.1.1.1 dst=10.139.40.20 type=0 code=0 id=23
 [UPDATE] icmp     1 30 src=172.29.0.2 dst=1.1.1.1 type=8 code=0 id=23 src=1.1.1.1 dst=10.139.40.20 type=0 code=0 id=23
    [NEW] icmp     1 30 src=172.29.0.3 dst=1.1.1.1 type=8 code=0 id=25 [UNREPLIED] src=1.1.1.1 dst=10.139.40.20 type=0 code=0 id=25
 [UPDATE] icmp     1 30 src=172.29.0.3 dst=1.1.1.1 type=8 code=0 id=25 src=1.1.1.1 dst=10.139.40.20 type=0 code=0 id=25
[DESTROY] icmp     1 src=172.29.0.2 dst=1.1.1.1 type=8 code=0 id=23 src=1.1.1.1 dst=10.139.40.20 type=0 code=0 id=23
[DESTROY] icmp     1 src=172.29.0.3 dst=1.1.1.1 type=8 code=0 id=25 src=1.1.1.1 dst=10.139.40.20 type=0 code=0 id=25
