'Re: DNAT/MASQ Precedence'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: DNAT/MASQ Precedence
From:       Katriel Traum <katriel () traum ! org ! il>
Date:       2003-01-31 12:50:39
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 31 January 2003 11:19, Athan wrote:
> On Fri, Jan 31, 2003 at 01:14:06PM +0000, Katriel Traum wrote:
> > Okay, sounds good, so say I want to save me a 2000 SNAT ports (I don't
> > think I'll have 2000 sockets open at the same time)
> > here's the ruleset I should use:
> >
> > iptables -A PREROUTING -i $INET_IF -p tcp --dport ! 60000:62000 -j DNAT \
> > - --to-destination $DMZ_IP
> > iptables -A PREROUTING -i $INET_IF -p udp --dport ! 60000:62000 -j DNAT \
> > - --to-destination $DMZ_IP
> >
> > iptables -A POSTROUTING -o $INET_IF -i $LAN_IF -j SNAT --to-source \
> >  $INET_IP:60000-62000
>
>    Looks good at first glance here.
>
> > as for ICMP, I didn't quite understand you. can you elaborate?
>
>   For TCP to operate correctly you *NEED* some ICMP working.  ICMP isn't
> just for ping!  There are things like network, host and port
> unreachable.  There's also things like Path MTU discovery which involves
> an ICMP message being sent back if a packet is too big for part of the
> route and has the Do not Fragment (DF) flag set.
>   Basically not allowing ICMP in a blind fashion is NOT the way to do
> things.  You probably just need to make sure you have the proper FORWARD
> rules (filter chain, it's the default so no -t) to allow both
> ESTABLISHED and RELATED.  You can find these in any mention of SNAT in
> docs/howtos.
Ofcourse ICMP is important. I wan't going to leave it out.
The qiestion is will the rule:
iptables -A PREROUTING -i $INET_IF -p icmp --dport ! 60000:62000 -j DNAT \
- --to-destination $DMZ_IP

do it? and what about ICMP messages aimed back at the LAN?
This will all be acompanied with the apropriate -m state entries.

Katriel
>
> HTH,
>
> -Ath

- -- 
+katriel                                                כתריאל+
pgp key: traum.org.il/gpg.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+Onz3DWy+Hv/461sRAphzAJ9ZBpO+lsHt2x468/Pwf4bmM/LJYACgioZ5
5E+0wiAx7l3IC0JuyetYGts=
=5J6o
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic