Re: HOW TRAVERSING CHAIN IN SNAT/DNAT

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Joel Newkirk <netfilter@newkirk.us>
To: Blizzards <blizzards@libero.it>, netfilter@lists.netfilter.org
Subject: Re: HOW TRAVERSING CHAIN IN SNAT/DNAT
Date: Fri, 6 Dec 2002 16:58:13 -0500	[thread overview]
Message-ID: <200212061658.13173.netfilter@newkirk.us> (raw)
In-Reply-To: <3DF06888.10403@libero.it>

On Friday 06 December 2002 04:06 am, Blizzards (Giulius) wrote:

> I need to filter packet coming from eth1 (external lan) directed to
> eth0 (internal lan).
> Packet for internal lan must be SNAT to reach external lan.
> In this enviroment filter table see packets traversing FORWARD chain
> as normal source and destination and i let it pass.
> SNAT change source address with nat address indicated (3 ip address
> configured on the box as alias of eth1) and then send packets.
> When packets return as reply to my natted connection, the chain/chains
> involved are:
>
> only input ?
> input and forward ?
> only forward?

Only FORWARD, as long as SNAT is working properly.  If these packets 
reach INPUT there is a problem.  Incoming packets, regardless of source, 
will end up at one of two destinations - either INPUT or 
FORWARD->POSTROUTING->out an interface.  (assuming no rule stops them 
along the way, like a match to a rule that DROPs or REJECTs them)  If 
they are replies to a packet that was SNATted when it was outbound, then 
they are automatically unSNATted, with the destination IP changed from 
the public IP they came in for (the source the request was SNATted to) 
to the actual IP on the internal network that the request came from, the 
original source IP of the request.

> Someone can explain me this in detail?

In more detail, and disregarding mangle table chains (not important to 
the discussion):

Packet comes in eth0 to nat-PREROUTING from internal network with a 
destination IP outside the internal network, where it is recognized as a 
packet to be forwarded, rather than input to the firewall box itself.  
It is sent to the filter-FORWARD chain, and from there (if it is 
ACCEPTed) goes on the nat-POSTROUTING and is SNATted and sent out the 
appropriate interface, eth1 in this case.  Reply packets come in eth1 
ALSO to nat-PREROUTING, where they are automatically un-SNATted 
(changing the destination IP of the reply packets to the actual 
destination, IE the source IP of the request packet) and from there they 
again go to filter-FORWARD then nat-POSTROUTING and out the appropriate 
interface, which will be eth0 based on the destination IP.

INPUT and OUTPUT chains of the filter table should only see packets 
to/from the firewall box itself, as long as NAT and routing setup are 
correct.  FORWARD chain of the filter table will see forwarded packets 
in every direction, regardless of source and destination.  

When the outbound packets reach FORWARD they have 'real' source IP and 
correct destination IP, since SNAT is done in a later step.  Returning 
packets will also have 'real' destination IP and correct source IP, 
since the SNAT is undone before they reach FORWARD.

If the connection _originates_ from the external network, and the 
internal network is 'hidden' behind one of the IPs of eth1 (usually the 
purpose of SNAT), then they can only be validly addressed to one of 
those IPs, and will normally be routed to INPUT since they are addressed 
to an IP of the firewall box itself.  If you need to overcome this for 
some reason you will need to DNAT in nat-PREROUTING to catch these 
incoming packets and change their destination IPs to the appropriate IP 
on the internal LAN, after which they will go through filter-FORWARD, 
since the routing decision will now see that they are not destined for 
the local box.

If the connection originates from the external network, addressed 
directly to the true IP of a machine on the internal network then they 
will by default go to filter-FORWARD anyway, since the destination IP is 
recognized as being on the local LAN and not the firewall box.  If the 
external network is the internet this shouldn't be the case, since the 
local LAN machines should all have IPs in a private range that isn't 
routable on the internet.  However, you phrased your question as 
"external LAN", so I presume you are set up between two LANs, where it 
may be possible for the external LAN to originate a packet addressed 
directly to an IP on the internal LAN, and use the firewall box as a 
router to reach that IP.

> Giulius

j

     prev parent reply	other threads:[~2002-12-06 21:58 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-12-06  9:06 HOW TRAVERSING CHAIN IN SNAT/DNAT Blizzards
2002-12-06 21:58 ` Joel Newkirk [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200212061658.13173.netfilter@newkirk.us \
    --to=netfilter@newkirk.us \
    --cc=blizzards@libero.it \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.