'Re: iptables masquerading 3 localnet -solution'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: iptables masquerading 3 localnet -solution
From:       Chapman Brad <kakadu_croc () yahoo ! com>
Date:       2001-02-28 14:27:11
[Download RAW message or body]

Mr. Estany,

	You're right. Looks like you've got the commands
together as best as you possibly could. You're rgith
about ACCEPT'ing packets in POSTROUTING AND FORWARD; I
never thought of that ;-) If you have any more
questions, don't hesitate to ask.

Thanks,

Brad

--- Carles Pina i Estany <is08139@salleURL.edu> wrote:
> 
> Hi,
> 
> I don't test your last rules.
> 
> I do something as and works fine (I retype the idea,
> I don't do copy and
> paste, sorry)
> 
> iptables -F
> iptables -t nat -F
> iptables -P FORWARD DROP
> 
> iptables -A FORWARD -s 10.0.0.0/255.0.0.0.0 -d \
> 	100.200.300.0/255.255.255.0 -j ACCEPT
> 
> 
> iptables -A FORWARD -s 10.0.0.0/255.0.0.0.0 -d \
>         100.200.301.0/255.255.255.0 -j ACCEPT
> 
> 
> iptables -A FORWARD -s 10.0.0.0/255.0.0.0.0 -d \
>         10.0.0.0.0/255.0.0.0 -j ACCEPT
> 
> iptables -t nat -A POSTROUTING -d
> 100.200.300.0/255.255.255.0 -j ACCEPT
> iptables -t nat -A POSTROUTING -d
> 100.200.301.0/255.255.255.0 -j ACCEPT
> iptables -t nat -A POSTROUTING -d 10.0.0.0/255.0.0.0
> -j ACCEPT
> iptables -t nat -A POSTROUTING -j NAT --to-source
> IP_SERVER
> 
> Mmm... it's something that appers it :-)
> 
> The "tip" is the use of -j on nat table. With this
> option, the paquet is
> not masqueraded if the destination is one of the
> destinations specified.
> 
> If someone is interested I can send the real
> configuration, but the idea
> is this (I am not root of this machine)
> 
> Thank you for your patience
> 
> 
> On Tue, 27 Feb 2001, Chapman Brad wrote:
> 
> > Mr. Estany,
> >
> > 	I added those rules to the POSTROUTING chain
> because
> > I wasn't sure whether the RETURN target also
> prevents
> > a packet from going throught the NAT table. Thus,
> a
> > rule like
> >
> > iptables -t nat -A POSTROUTING -o eth0 -j
> MASQUERADE
> >
> > 	would still masquerade 100.200.300.0,
> 100.200.301.0,
> > and 10.0.0.0, despite the fact that you ACCEPT'ed
> them
> > back at the FORWARD chain. Again, this is because
> I
> > don't know whether ACCEPT'ing a packet in FORWARD
> > bypasses the POSTROUTING chain.
> >
> > 	I hope this clears it up. If you have any other
> > questions, don't hesitate to ask.
> >
> > Brad
> > --- Carles Pina i Estany <is08139@salleURL.edu>
> wrote:
> > >
> > >
> > > Mr Brad,
> > >
> > > If I do something as:
> > >
> > > iptables -P FORWARD ACCEPT
> > >
> > > iptables -A FORWARD -p tcp --i eth0 -d \
> > > 	100.200.300.0/255.255.255.0 -j RETURN
> > >
> > > iptables -A FORWARD -p tcp -i eth0 -d \
> > > 	100.200.301.0/255.255.255.0 -j RETURN
> > >
> > > iptables -A FORWARD -p tcp -i eth0 -d \
> > > 	10.0.0.0/255.0.0.0 -j RETURN
> > >
> > > IPTABLES -t nat -P POSTROUTING ACCEPT
> > >
> > > iptables -t nat -A POSTROUTING -o eth0 -j
> MASQUERADE
> > >
> > > Then works?
> > >
> > > I understand that when iptables receive a packet
> to
> > > forward, check the
> > > rules of FORWARD. If there is "-j ACCEPT" then
> > > paquet is accepted and the
> > > other rules of FORWARD is checked. When Forward
> > > finishes, check nat. If
> > > there are NAT, then do the rule of NAT.
> > >
> > > Yes?
> > >
> > > And, if "-j RETURN" is found, then the packet is
> > > processed as forward but
> > > don't continue checking other conditions. Then,
> > > don't go to nat (I think).
> > >
> > > Nat is checked at the end of forward?
> > >
> > > And you write:
> > > ----------
> > > > iptables -t nat -A POSTROUTING -p 0 -o ppp0 -d
> !
> > > > 100.200.300.0 -j MASQUERADE
> > > > iptables -t nat -A POSTROUTING -p 0 -o ppp0 -d
> !
> > > > 100.200.301.0 -j MASQUERADE
> > > > iptables -t nat -A POSTROUTING -p 0 -o ppp0 -d
> !
> > > > 10.0.0.0 -j MASQUERADE
> > > -------
> > >
> > > With this, ALL the paquets are masqueraded, I
> think.
> > > Because if you send a packet to 100.200.300.0 it
> is
> > > not masqueraded (the
> > > destination is 100.200.300.0, and -d !
> 100.200.300.0
> > > don't masquerade).
> > > But the secondth rule masquerades it, no?
> > >
> > > Or, if you send a paquet to 100.200.301.0 the
> first
> > > rule masquerading it
> > >
> > > Thank you very much for your attention
> > >
> > > >
> > > > iptables -t nat -A POSTROUTING -p 0 -o ppp0 -j
> > > > MASQUERADE
> > > >
> > > > 	The reason why I put rules for both TCP and
> UDP
> > > in my
> > > > earlier message was because I thought you
> needed
> > > them
> > > > to specify an IP address. You don't :-), so
> you
> > > can
> > > > prevent clutter. I think using the RETURN
> target
> > > > avoids the rest of the hooks; if it doesn't,
> then
> > > the
> > > > rules that masquerades anything that is NOT
> > > > 100.200.x.x or 10.0.0.0 . Test these out. If
> you
> > > > dopn't understand, reply and I'll explain some
> > > more.
> > > >
> > > > Brad
> > > >
> > > > --- Carles Pina i Estany
> <is08139@salleURL.edu>
> > > wrote:
> > > > >
> > > > > Hi,
> > > > >
> > > > >
> > > > > Tomorrow I will test it. But I don't
> understand.
> > > > >
> > > > > I want don't Masquerade if the destination
> is:
> > > > > 100.200.300.x
> > > > > 100.200.301.x
> > > > > 10.x.y.z
> > > > >
> > > > > The source always are from 10.9.x.y (If I
> > > remember
> > > > > well). Then, depend of
> > > > > destination, I will masquerade or only
> forward.
> > > > >
> > > > > I don't understand what do you do with your
> > > rules
> > > > > :-(
> > > > >
> > > > > Thank you very much
> 
=== message truncated ===


__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic