From: Ray Leach <raymondl@knowledgefactory.co.za>
To: Cedric Blancher <blancher@cartel-securite.fr>
Cc: Wim Ceulemans <wim.ceulemans@able.be>,
Netfilter Mailing List <netfilter@lists.netfilter.org>,
pieter@able.be
Subject: Re: Routing decision?
Date: 15 Sep 2003 17:03:11 +0200 [thread overview]
Message-ID: <1063638190.31314.118.camel@raylinux.internal> (raw)
In-Reply-To: <1063634445.930.102.camel@elendil.intranet.cartel-securite.net>
[-- Attachment #1: Type: text/plain, Size: 2396 bytes --]
On Mon, 2003-09-15 at 16:00, Cedric Blancher wrote:
> Le lun 15/09/2003 à 15:46, Ray Leach a écrit :
> > My firewall machine currently has 5 NICs, each with their own ip (one
> > has a public ip - eth0)
> > eth0 has the public ip. It also has 10 alias ips.
> > eth1 has a private ip of 192.168.1.1.
> > eth1 network is my dmz with all the web servers from 192.168.1.165 to
> > 192.168.1.173.
> > If I want to DNAT incoming traffic destined to on of the aliases bound
> > to interface eth0 to a server in the dmz - eth1 192.168.1.165 (for
> > example), then I need :
> > - a PREROUTING DNAT rule
> > - a FORWAORD rule for each direction (eth0 -> eth1 and eth1 -> eth0)
> > - and an INPUT rule for eth0 alias ip.
> > Does that make sense?
>
> Not to me. Supposing alias i set up (using iproute or ifconfig) I would
> do this (and I think you did this) :
>
> iptables -t nat -A PREROUTING -d $ALIAS -i eth0 -j DNAT \
> --to 192.168.1.165
> iptables -A FORWARD -d 192.168.1.165 -i eth0 -o eth1 -j ACCEPT
> iptables -A FORWARD -s 192.168.1.165 -i eth1 -o eth0 -j ACCEPT
>
> And that's all to set a DNAT for incoming packets.
>
> > If I remove the INPUT rule, my DNAT does not work, the packets get sent
> > to the OUTPUT chain ...
>
> What is the INPUT rule ? Once your packet gets DNATed in PREROUTING, it
> is not sent to NF_IP_LOCAL_IN, but to NF_IP_FORWARD. Thus, it does not
> cross filter table INPUT chain. If packets go through INPUT chain, that
> means they're still destined to the alias IP, so that the DNAT rule did
> not match them.
> And I do not see how packets could go to OUTPUT chain as they're
> supposed to get routed, not locally generated... The only case I see is
> REDIRECT target use on a local proxy, so packets go through INPUT, then
> proxy reply sent through OUTPUT chain.
Now that's a possibility! I didn't even think of that. I do have a
transparent squid proxy running on that machine.
I suppose I was watching the traffic going through the proxy (probably
because I was testing from a local machine).
Thanks
>
> I'm a bit lost on this one.
--
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
next prev parent reply other threads:[~2003-09-15 15:03 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-15 8:49 Routing decision? Wim Ceulemans
2003-09-15 9:08 ` Ray Leach
2003-09-15 10:44 ` Wim Ceulemans
2003-09-15 12:14 ` Ray Leach
2003-09-15 12:53 ` Wim Ceulemans
2003-09-15 13:09 ` Ray Leach
2003-09-15 13:31 ` Cedric Blancher
2003-09-15 13:46 ` Ray Leach
2003-09-15 14:00 ` Cedric Blancher
2003-09-15 15:03 ` Ray Leach [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-09-15 13:16 Wim Ceulemans
2003-09-15 14:34 ` Henrik Nordstrom
2003-09-15 15:29 ` Wim Ceulemans
2003-09-15 16:06 ` Henrik Nordstrom
2003-09-15 16:25 ` Wim Ceulemans
2003-09-15 16:59 ` Cedric Blancher
2003-09-15 19:48 ` Henrik Nordstrom
2003-09-18 7:37 ` Wim Ceulemans
2003-09-18 11:22 ` Henrik Nordstrom
2003-09-18 11:54 ` Wim Ceulemans
2003-09-18 13:10 ` Henrik Nordstrom
2003-09-18 13:39 ` Wim Ceulemans
2003-09-15 20:10 Daniel Chemko
2003-09-15 22:32 ` Henrik Nordstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1063638190.31314.118.camel@raylinux.internal \
--to=raymondl@knowledgefactory.co.za \
--cc=blancher@cartel-securite.fr \
--cc=netfilter@lists.netfilter.org \
--cc=pieter@able.be \
--cc=wim.ceulemans@able.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.