prerouting and route

prerouting and route

[Oğuz Yarımtepe]

Hi,

I gave some points that i couldnt visualize. 
First question is related with the route command. Lets say i defined a local 
route as,

route add 10.2.0.0 netmask 255.255.255.0 gw 10.2.0.1 dev eth1

and while i am configuring iptables i wrote some rules:

# delete all existing rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -t nat -A PREROUTING -i eth0 -p ALL -d 10.2.0.0/24 -j DNAT --to 
10.2.0.1

At this point i ask myself whether i need this rule, because i had already 
defined a route while configuring interfaces. So is there a relation between 
route definitions and prerouting, is it unnecessary to define a local route 
and try to the same thing with iptables?

Second, i have a rule as,

iptables -t nat -A PREROUTING -i eth1 -p ALL  -j DNAT --to 192.168.1.4

192.168.1.4 is the ip of eth0 which is plugged to a gateway with the ip 
192.168.1.3. If i send a package from eth1 to lets say 192.168.1.10, its 
destination address is replaced with 192.168.1.4. After this point, will it 
continue to 192.168.1.3? If yes how?

Thanx.
 
-- 
Oğuz Yarımtepe
http://www.yarimtepe.com/en

Re: prerouting and route

[Pascal Hambourg]

Hello,

Oguz Yarimtepe a écrit :
> 
> I gave some points that i couldnt visualize. 
> First question is related with the route command. Lets say i defined a local 
> route as,
> 
> route add 10.2.0.0 netmask 255.255.255.0 gw 10.2.0.1 dev eth1

Weird route. It looks like the gateway address belongs to the 
destination range. If so, how do you reach the gateway ?

> and while i am configuring iptables i wrote some rules:
[...]
> iptables -t nat -A PREROUTING -i eth0 -p ALL -d 10.2.0.0/24 -j DNAT --to 
> 10.2.0.1
> 
> At this point i ask myself whether i need this rule,

The question is : what do you expect from this rule ?

> because i had already 
> defined a route while configuring interfaces. So is there a relation between 
> route definitions and prerouting,

Not directly. Routes tell how to route a packet, i.e. how it must be 
sent out, mostly depending on its destination address, without altering 
the destination address. DNAT rules say how to alter the destination 
address, not how to route that destination.

In both cases here the packets will be sent to the gateway with address 
10.2.0.1. But the difference is that routing does not change the 
original destination address, and the gateway will forward the packets 
to their final destination. With DNAT, the gateway becomes the final 
destination.

> is it unnecessary to define a local route 
> and try to the same thing with iptables?

I do not see what you mean.

> Second, i have a rule as,
> 
> iptables -t nat -A PREROUTING -i eth1 -p ALL  -j DNAT --to 192.168.1.4
> 
> 192.168.1.4 is the ip of eth0 which is plugged to a gateway with the ip 
> 192.168.1.3. If i send a package from eth1 to lets say 192.168.1.10, its 
> destination address is replaced with 192.168.1.4. After this point, will it 
> continue to 192.168.1.3? If yes how?

No. The new destination address belongs to the host which becomes the 
final destination, so the packet will be received locally instead of 
being forwarded.