Re: DNAT/MASQ Precedence

[Katriel Traum <katriel@traum.org.il>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 31 January 2003 10:14, Athan wrote:
> On Fri, Jan 31, 2003 at 09:58:35AM +0000, Katriel Traum wrote:
> > On Thursday 30 January 2003 19:34, Athan wrote:
> > > On Thu, Jan 30, 2003 at 07:31:38PM +0000, Katriel Traum wrote:
> > > > I want to redirect _all_ traffic into the DMZ (is that even
> > > > possible?) and in the same time MASQ the LAN. The question is will
> > > > they collide? If I use a ruleset such as:
> > > > iptables -A PREROUTING -i $INET_IF -j DNAT --to-destination $DMZ_IP
> > > > iptables -A POSTROUTING -o $INET_IF -j MASQUERADE
> > > > (yes, there's only one computer in the DMZ)
> > > >
> > > > Will I get return traffic into my lan? won't it be DNATed into the
> > > > DMZ?
> > >
> > >   You need at least one public IP that is *NOT* in the DMZ.  Then
> > > change the DMZ rule to exclude on this:
> > >
> > > iptables -A PREROUTING -i $INET_IF -d ! <not-DMZ IP> -j DNAT
> > > --to-destination $DMZ_IP
> >
> > Well, the problem is I have 1 public IP via a cable modem.
> > So I ask again, if I DNAT everything into the DMZ lan, and try to MASQ my
> > private lan, will I even get return traffic?
>
>   That would be a problem yes, as the PREROUTING gets done before the
> POSTROUTING and will change the packets prior to the routing decision.
> You may be able to get away with reserving a range of ports to be used
> with SNAT though as the --to-source argument can take a range of port
> numbers.
>
> 	iptables -A PREROUTING -i $INET_IF -p tcp --dport ! port1:port2 -j DNAT
> --to-destination $IP
>
> 	iptables -A POSTROUTING -o $INET_IF -s <LAN network> -j SNAT --to-source
> $IP:port1-port2
>
> Note that the DNAT rule DOES now mention protocol explicitly, it has to
> for --dport to be valid.  Duplicate the line with "-p udp" if you also
> need UDP to be working.
>   For non UDP/TCP (i.e. ICMP) to work correctly you have to hope a few
> rules with the appropriate -m state will do the right thing.  AIUI they
> should as how they treat things should be based on the connection
> tracking table.
Okay, sounds good, so say I want to save me a 2000 SNAT ports (I don't think 
I'll have 2000 sockets open at the same time)
here's the ruleset I should use:

iptables -A PREROUTING -i $INET_IF -p tcp --dport ! 60000:62000 -j DNAT \
- --to-destination $DMZ_IP
iptables -A PREROUTING -i $INET_IF -p udp --dport ! 60000:62000 -j DNAT \
- --to-destination $DMZ_IP

iptables -A POSTROUTING -o $INET_IF -i $LAN_IF -j SNAT --to-source \
 $INET_IP:60000-62000
 
as for ICMP, I didn't quite understand you. can you elaborate?

Thanks!
>
> -Ath

- -- 
+katriel                                                כתריאל+
pgp key: traum.org.il/gpg.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+OnaeDWy+Hv/461sRAltIAKCU6yz8Skmcl20bHgnv9aPGOj8PlACdEM3r
KxSFqh3zQlw1guKUYi5poxE=
=saOz
-----END PGP SIGNATURE-----