Re: How multiple PCs on private LAN possible if incoming is DNAT'd to *same* server *always*?

[Jason Opperisano <opie@817west.com>]

On Thu, Feb 03, 2005 at 09:25:00AM -0800, seberino@spawar.navy.mil wrote:
> I got an iptables script for a NAT-ing firewall that
> forwards packets between Internat and a private LAN.
> 
> All incoming packets are destination NAT'd to end up
> at a single server on the private LAN.

so you have a rule that says:

  iptables -t nat -A PREROUTING -i $EXT_IF \
    -j DNAT --to-destination $SINGLE_SERVER_IP

> **I don't understand how ANY packets can ever arrive
> at ANY other PC on the private LAN since they
> are ALL destination NAT'd to go to same private server IP
> address!?!?**

um--any NEW packets arriving inbound on $EXT_IF would have their
destination IP translated to $SINGLE_SERVER_IP, yes.
 
> If some arbitrary client on private LAN wants to visit
> a web page, somehow his traffic arrives back at himself
> without any specific NAT rules to get packets to him!??

ah--it seems you are confusing DNAT and SNAT.  when a machine on the
inside makes an outbound request (that passes all your filter rules) it
is probably hitting some sort of SNAT rule like:

  iptables -t nat -A POSTROUTING -o $EXT_IF -j SNAT --to-source $EXT_IP

this will create a conntrack entry that will be able to map the reply
packet back to the correct client by matching:

  src_ip,src_port,dst_ip,dst_port

> I know it has something to do with ESTABLISHED,RELATED
> state ACCEPT-ing rules but this has always confused me.

sorta.  keep in mind that rules in "-t nat" are only applied to packets
with state NEW--this is probably the piece you're missing.

> Do you understand the question?

maybe.

-j

--
"Please do not offer my god a peanut"
        --The Simpsons