From: Athan <netfilter@miggy.org>
To: Katriel Traum <katriel@traum.org.il>
Cc: netfilter@lists.netfilter.org
Subject: Re: DNAT/MASQ Precedence
Date: Fri, 31 Jan 2003 10:14:20 +0000 [thread overview]
Message-ID: <20030131101420.GU11221@miggy.org> (raw)
In-Reply-To: <200301310958.38656.katriel@traum.org.il>
[-- Attachment #1: Type: text/plain, Size: 2216 bytes --]
On Fri, Jan 31, 2003 at 09:58:35AM +0000, Katriel Traum wrote:
> On Thursday 30 January 2003 19:34, Athan wrote:
> > On Thu, Jan 30, 2003 at 07:31:38PM +0000, Katriel Traum wrote:
> > > I want to redirect _all_ traffic into the DMZ (is that even possible?)
> > > and in the same time MASQ the LAN. The question is will they collide? If
> > > I use a ruleset such as:
> > > iptables -A PREROUTING -i $INET_IF -j DNAT --to-destination $DMZ_IP
> > > iptables -A POSTROUTING -o $INET_IF -j MASQUERADE
> > > (yes, there's only one computer in the DMZ)
> > >
> > > Will I get return traffic into my lan? won't it be DNATed into the DMZ?
> >
> > You need at least one public IP that is *NOT* in the DMZ. Then change
> > the DMZ rule to exclude on this:
> >
> > iptables -A PREROUTING -i $INET_IF -d ! <not-DMZ IP> -j DNAT
> > --to-destination $DMZ_IP
>
> Well, the problem is I have 1 public IP via a cable modem.
> So I ask again, if I DNAT everything into the DMZ lan, and try to MASQ my
> private lan, will I even get return traffic?
That would be a problem yes, as the PREROUTING gets done before the
POSTROUTING and will change the packets prior to the routing decision.
You may be able to get away with reserving a range of ports to be used
with SNAT though as the --to-source argument can take a range of port
numbers.
iptables -A PREROUTING -i $INET_IF -p tcp --dport ! port1:port2 -j DNAT --to-destination $IP
iptables -A POSTROUTING -o $INET_IF -s <LAN network> -j SNAT --to-source $IP:port1-port2
Note that the DNAT rule DOES now mention protocol explicitly, it has to
for --dport to be valid. Duplicate the line with "-p udp" if you also
need UDP to be working.
For non UDP/TCP (i.e. ICMP) to work correctly you have to hope a few
rules with the appropriate -m state will do the right thing. AIUI they
should as how they treat things should be based on the connection
tracking table.
HTH,
-Ath
--
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
Finger athan(at)fysh.org for PGP key
"And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]
next prev parent reply other threads:[~2003-01-31 10:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-30 19:31 DNAT/MASQ Precedence Katriel Traum
2003-01-30 19:34 ` Athan
2003-01-31 9:58 ` Katriel Traum
2003-01-31 10:14 ` Athan [this message]
2003-01-31 13:14 ` Katriel Traum
2003-01-31 11:19 ` Athan
2003-01-31 13:41 ` Katriel Traum
2003-01-31 12:18 ` Athan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030131101420.GU11221@miggy.org \
--to=netfilter@miggy.org \
--cc=katriel@traum.org.il \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.