Is it possible to forward broadcasting with IPtables?

Is it possible to forward broadcasting with IPtables?

[Younger Wang]

Hi All,

I am seeking a way to forward WINs broadcast. 

Is it possible to be done with iptables? If not, is there a standard way
to do broadcast forwarding?

Thank you!

BR
Younger Wang

Re: Is it possible to forward broadcasting with IPtables?

[Antony Stone]

On Wednesday 07 April 2004 7:38 am, Younger Wang wrote:

> Hi All,
>
> I am seeking a way to forward WINs broadcast.

Use a WINS server.   That will forward peer discovery requests to other 
subnets.   Samba will do the job nicely.

> Is it possible to be done with iptables? If not, is there a standard way
> to do broadcast forwarding?

There is no way to generically forward network broadcasts, otherwise the 
entire Internet would get flooded with them.   Broadcasts are designed to 
reach every machine on a local subnet, and no others.

Regards,

Antony.

-- 
This email is intended for the use of the individual addressee(s) named above 
and may contain information that is confidential, privileged or unsuitable 
for overly sensitive persons with low self-esteem, no sense of humour, or 
irrational religious beliefs.

If you have received this email in error, you are required to shred it 
immediately, add some nutmeg, three egg whites and a dessertspoonful of 
caster sugar.   Whisk until soft peaks form, then place in a warm oven for 40 
minutes.   Remove promptly and let stand for 2 hours before adding some 
decorative kiwi fruit and cream.   Then notify me immediately by return email 
and eat the original message.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Is it possible to forward broadcasting with IPtables?

[Younger Wang]

If the broadcast packets traverse the chains, they should be put to
INPUT chain. Is there a way to transfer a packet from INPUT chain to
FORWARD chain?  

Even though broadcast is not expected to go beyond router, forwarding
certain broadcast packets can be very useful in many scenarios. 

BR
Younger Wang

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: Wednesday, April 07, 2004 5:41 PM
To: netfilter@lists.netfilter.org
Subject: Re: Is it possible to forward broadcasting with IPtables?

On Wednesday 07 April 2004 7:38 am, Younger Wang wrote:

> Hi All,
>
> I am seeking a way to forward WINs broadcast.

Use a WINS server.   That will forward peer discovery requests to other 
subnets.   Samba will do the job nicely.

> Is it possible to be done with iptables? If not, is there a standard
way
> to do broadcast forwarding?

There is no way to generically forward network broadcasts, otherwise the

entire Internet would get flooded with them.   Broadcasts are designed
to 
reach every machine on a local subnet, and no others.

Regards,

Antony.

-- 
This email is intended for the use of the individual addressee(s) named
above 
and may contain information that is confidential, privileged or
unsuitable 
for overly sensitive persons with low self-esteem, no sense of humour,
or 
irrational religious beliefs.

If you have received this email in error, you are required to shred it 
immediately, add some nutmeg, three egg whites and a dessertspoonful of 
caster sugar.   Whisk until soft peaks form, then place in a warm oven
for 40 
minutes.   Remove promptly and let stand for 2 hours before adding some 
decorative kiwi fruit and cream.   Then notify me immediately by return
email 
and eat the original message.

                                                     Please reply to the
list;
                                                           please don't
CC me.

Re: Is it possible to forward broadcasting with IPtables?

[Antony Stone]

On Wednesday 07 April 2004 12:07 pm, Younger Wang wrote:

> If the broadcast packets traverse the chains, they should be put to
> INPUT chain. Is there a way to transfer a packet from INPUT chain to
> FORWARD chain?

DNAT in PREROUTING?

In theory this would do what you want, however I'm sure it won't work.

Regards,

Antony.

-- 
The idea that Bill Gates appeared like a knight in shining armour to lead all 
customers out of a mire of technological chaos neatly ignores the fact that 
it was he who, by peddling second-rate technology, led them into it in the 
first place.

 - Douglas Adams in The Guardian, 25th August 1995

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Is it possible to forward broadcasting with IPtables?

[Younger Wang]

I tried DNAT in PREROUTING. 

Take an example: 
The broadcasting is send from 10.0.0.22/24 to 10.0.0.255/24. I want the
router( 10.0.0.1, 192.168.0.1 ) to forward it as from 10.0.0.22/24 to
192.168.0.255/24. 

I added:
Iptables -t nat -A PREROUTING -p udp -d 10.0.0.255 --dport 137 -j DNAT
--to-destination 192.168.0.255

The result is: 10.0.0.22-->10.0.0.255 was changed to
10.0.0.22-->192.168.0.255 in PREROUTING. Later on, in routing decision,
it's still put to the INPUT chain because the router also listens to
192.168.0.255. That's the reason why DNAT in PREROUTING does not work
and why I want to transfer the packet from INPUT chain to forward chain.


BR
Younger Wang

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: Wednesday, April 07, 2004 7:15 PM
To: netfilter@lists.netfilter.org
Subject: Re: Is it possible to forward broadcasting with IPtables?

On Wednesday 07 April 2004 12:07 pm, Younger Wang wrote:

> If the broadcast packets traverse the chains, they should be put to
> INPUT chain. Is there a way to transfer a packet from INPUT chain to
> FORWARD chain?

DNAT in PREROUTING?

In theory this would do what you want, however I'm sure it won't work.

Regards,

Antony.

-- 
The idea that Bill Gates appeared like a knight in shining armour to
lead all 
customers out of a mire of technological chaos neatly ignores the fact
that 
it was he who, by peddling second-rate technology, led them into it in
the 
first place.

 - Douglas Adams in The Guardian, 25th August 1995

                                                     Please reply to the
list;
                                                           please don't
CC me.

RE: Is it possible to forward broadcasting with IPtables?

[John A. Sullivan III]

I've neither tried it nor thought it through but would the NAT
capabilities of iproute2 help here? Will iproute2 change the address
before Netfilter makes a decision of which filter table chain to use? -
John

On Wed, 2004-04-07 at 11:19, Younger Wang wrote:
> I tried DNAT in PREROUTING. 
> 
> Take an example: 
> The broadcasting is send from 10.0.0.22/24 to 10.0.0.255/24. I want the
> router( 10.0.0.1, 192.168.0.1 ) to forward it as from 10.0.0.22/24 to
> 192.168.0.255/24. 
> 
> I added:
> Iptables -t nat -A PREROUTING -p udp -d 10.0.0.255 --dport 137 -j DNAT
> --to-destination 192.168.0.255
> 
> The result is: 10.0.0.22-->10.0.0.255 was changed to
> 10.0.0.22-->192.168.0.255 in PREROUTING. Later on, in routing decision,
> it's still put to the INPUT chain because the router also listens to
> 192.168.0.255. That's the reason why DNAT in PREROUTING does not work
> and why I want to transfer the packet from INPUT chain to forward chain.
> 
> 
> BR
> Younger Wang
> 
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
> Sent: Wednesday, April 07, 2004 7:15 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: Is it possible to forward broadcasting with IPtables?
> 
> On Wednesday 07 April 2004 12:07 pm, Younger Wang wrote:
> 
> > If the broadcast packets traverse the chains, they should be put to
> > INPUT chain. Is there a way to transfer a packet from INPUT chain to
> > FORWARD chain?
> 
> DNAT in PREROUTING?
> 
> In theory this would do what you want, however I'm sure it won't work.
> 
> Regards,
> 
> Antony.
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com