* FORWARDING and NAT chains
@ 2004-01-29 14:02 Srinivasa Hebbar
2004-01-30 5:50 ` Ray Leach
2004-01-30 10:25 ` Antony Stone
0 siblings, 2 replies; 6+ messages in thread
From: Srinivasa Hebbar @ 2004-01-29 14:02 UTC (permalink / raw)
To: netfilter; +Cc: shebbar
Hello,
I believe that the NAT PREROUTING and POSTROUTING will
always takes place for all the incoming/outgoing packets
irrespective of whether the packet is destined to the node or not.
I have a situvation that if the dest. IP address of the packet is
for the local node, then apply NAT rule, otherwise it should simply
forward the packet according to the routing table.
How can I achive the above?
Any help is very much appreciated.
Regards,
S. Hebbar.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: FORWARDING and NAT chains
2004-01-29 14:02 FORWARDING and NAT chains Srinivasa Hebbar
@ 2004-01-30 5:50 ` Ray Leach
2004-01-30 10:23 ` Antony Stone
2004-01-30 10:25 ` Antony Stone
1 sibling, 1 reply; 6+ messages in thread
From: Ray Leach @ 2004-01-30 5:50 UTC (permalink / raw)
To: Netfilter Mailing List
[-- Attachment #1: Type: text/plain, Size: 864 bytes --]
On Thu, 2004-01-29 at 16:02, Srinivasa Hebbar wrote:
> Hello,
>
> I believe that the NAT PREROUTING and POSTROUTING will
> always takes place for all the incoming/outgoing packets
> irrespective of whether the packet is destined to the node or not.
>
> I have a situvation that if the dest. IP address of the packet is
> for the local node, then apply NAT rule, otherwise it should simply
> forward the packet according to the routing table.
>
> How can I achive the above?
>
Use the INPUT chain of the nat table.
> Any help is very much appreciated.
>
> Regards,
> S. Hebbar.
--
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: FORWARDING and NAT chains
2004-01-30 5:50 ` Ray Leach
@ 2004-01-30 10:23 ` Antony Stone
0 siblings, 0 replies; 6+ messages in thread
From: Antony Stone @ 2004-01-30 10:23 UTC (permalink / raw)
To: Netfilter Mailing List
On Friday 30 January 2004 5:50 am, Ray Leach wrote:
> On Thu, 2004-01-29 at 16:02, Srinivasa Hebbar wrote:
> > Hello,
> >
> > I believe that the NAT PREROUTING and POSTROUTING will
> > always takes place for all the incoming/outgoing packets
> > irrespective of whether the packet is destined to the node or not.
> >
> > I have a situvation that if the dest. IP address of the packet is
> > for the local node, then apply NAT rule, otherwise it should simply
> > forward the packet according to the routing table.
> >
> > How can I achive the above?
>
> Use the INPUT chain of the nat table.
What does this mean? nat can be done in PREROUTING or POSTROUTING (as
Srinivasa correctly said). You cannot do nat in INPUT.
Antony.
--
Anything that improbable is effectively impossible.
- Murray Gell-Mann, Novel Prizewinner in Physics
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: FORWARDING and NAT chains
2004-01-29 14:02 FORWARDING and NAT chains Srinivasa Hebbar
2004-01-30 5:50 ` Ray Leach
@ 2004-01-30 10:25 ` Antony Stone
2004-01-30 12:23 ` John A. Sullivan III
1 sibling, 1 reply; 6+ messages in thread
From: Antony Stone @ 2004-01-30 10:25 UTC (permalink / raw)
To: netfilter
On Thursday 29 January 2004 2:02 pm, Srinivasa Hebbar wrote:
> Hello,
>
> I believe that the NAT PREROUTING and POSTROUTING will
> always takes place for all the incoming/outgoing packets
> irrespective of whether the packet is destined to the node or not.
>
> I have a situvation that if the dest. IP address of the packet is
> for the local node, then apply NAT rule, otherwise it should simply
> forward the packet according to the routing table.
>
> How can I achive the above?
Place the destination address in the nat rule, eg:
iptables -A PREROUTING -t nat -d ! my.ip.add.ress -j DNAT --to a.b.c.d
This means "destination nat all packets which are not addressed to
my.ip.add.ress and send them to a.b.c.d".
Regards,
Antony.
--
"The joy of X!!?? I've always hated compiling graphical shite. You have a 10
line program, and it ends up depending on the entire known universe."
- Philip Hands
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: FORWARDING and NAT chains
2004-01-30 10:25 ` Antony Stone
@ 2004-01-30 12:23 ` John A. Sullivan III
2004-01-30 12:36 ` Antony Stone
0 siblings, 1 reply; 6+ messages in thread
From: John A. Sullivan III @ 2004-01-30 12:23 UTC (permalink / raw)
To: Antony Stone; +Cc: netfilter
On Fri, 2004-01-30 at 05:25, Antony Stone wrote:
> On Thursday 29 January 2004 2:02 pm, Srinivasa Hebbar wrote:
>
> > Hello,
> >
> > I believe that the NAT PREROUTING and POSTROUTING will
> > always takes place for all the incoming/outgoing packets
> > irrespective of whether the packet is destined to the node or not.
> >
> > I have a situvation that if the dest. IP address of the packet is
> > for the local node, then apply NAT rule, otherwise it should simply
> > forward the packet according to the routing table.
> >
> > How can I achive the above?
>
> Place the destination address in the nat rule, eg:
>
> iptables -A PREROUTING -t nat -d ! my.ip.add.ress -j DNAT --to a.b.c.d
>
> This means "destination nat all packets which are not addressed to
> my.ip.add.ress and send them to a.b.c.d".
>
> Regards,
>
> Antony.
This is true but she went on to state in a later e-mail that she has
many interfaces and needs to exclude two. That's a knarly problem I've
run into many times with the limitation of only being able to specify a
single address/subnet (or a contiguous range with iprange) in
destination and source.
I suggested using a RETURN target to bypass processing for the two
excluded interfaces although I was surprised to not find RETURN in my
man page. I hope I wasn't having a premature senior moment when I
recalled the RETURN target! Thanks - John
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: FORWARDING and NAT chains
2004-01-30 12:23 ` John A. Sullivan III
@ 2004-01-30 12:36 ` Antony Stone
0 siblings, 0 replies; 6+ messages in thread
From: Antony Stone @ 2004-01-30 12:36 UTC (permalink / raw)
To: netfilter
On Friday 30 January 2004 12:23 pm, John A. Sullivan III wrote:
> On Fri, 2004-01-30 at 05:25, Antony Stone wrote:
> >
> > Place the destination address in the nat rule, eg:
> >
> > iptables -A PREROUTING -t nat -d ! my.ip.add.ress -j DNAT --to a.b.c.d
> >
> > This means "destination nat all packets which are not addressed to
> > my.ip.add.ress and send them to a.b.c.d".
>
> This is true but she went on to state in a later e-mail that she has
> many interfaces and needs to exclude two. That's a knarly problem I've
> run into many times with the limitation of only being able to specify a
> single address/subnet (or a contiguous range with iprange) in
> destination and source.
>
> I suggested using a RETURN target to bypass processing for the two
> excluded interfaces although I was surprised to not find RETURN in my
> man page. I hope I wasn't having a premature senior moment when I
> recalled the RETURN target! Thanks - John
Oh, okay - try using ACCEPT in the nat table to stop packets continuing to
later rules..
RETURN is only valid for user-defined chains (I think).
Regards,
Antony.
--
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.
- William Gibson, Neuromancer (1984)
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2004-01-30 12:36 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-01-29 14:02 FORWARDING and NAT chains Srinivasa Hebbar
2004-01-30 5:50 ` Ray Leach
2004-01-30 10:23 ` Antony Stone
2004-01-30 10:25 ` Antony Stone
2004-01-30 12:23 ` John A. Sullivan III
2004-01-30 12:36 ` Antony Stone
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.