Firewalls, NAT, and Egress Identity
On this page
Firewall/NAT Mental Model
- Firewalls match rules on 5-tuple (src/dst IP, src/dst port, proto).
- NAT rewrites addresses/ports; logs may show post-NAT identities.
- Stateful firewalls require return path symmetry.
Host Firewall Quick Checks
sudo iptables -S 2>/dev/null || true sudo nft list ruleset 2>/dev/null | head -200 || true sudo ufw status verbose 2>/dev/null || true
Conntrack and NAT Symptoms
- Conntrack table exhaustion looks like random connection failures.
- SNAT port exhaustion appears under high egress concurrency.
sysctl net.netfilter.nf_conntrack_count 2>/dev/null || true sysctl net.netfilter.nf_conntrack_max 2>/dev/null || true ss -s
Test Egress Identity
curl -s https://ifconfig.me || true curl -s https://api.ipify.org || true
Failure Modes
- Asymmetric routing: request exits one path, response returns another → dropped.
- Policy drift: a change blocks new flows; old connections still work (partial outage).
- ICMP blocked: Path MTU issues become invisible; TLS/HTTP may hang.
Checklist
ip route get 1.1.1.1 # MTU hint (do not rely solely on ping) ping -c 2 -M do -s 1472 1.1.1.1 2>/dev/null || true