Masquerading

Masquerading

[Wilson Fletcher]

Just looking at iptables.

Normally a reply to a masq'd packet coming into the network will
have the destination IP of the g/w. So if the NAT for masq is done
in POSTROUTING (after filtering) do I need to except INPUT packets
to ports in the masquerading range (~61000:65535 ????) ?

The Linux 2.4 Packet Filtering HOWTO appears to suggest that I can
ignore the fact that I'm nat'ing and use forwarding rules for packets
being masq'd and de-masq'd and that I do not need to worry about
INPUT for packets that are going to my masq'd range.

Have I understood this correctly ?

thanks,

Wilson

P.S. I'm not subscribed here. Can you reply to:
research at mclachlan dot com dot au

Re: Masquerading

[Antony Stone]

On Tuesday 22 October 2002 12:51 am, Wilson Fletcher wrote:

> Just looking at iptables.

Welcome.

> Normally a reply to a masq'd packet coming into the network will
> have the destination IP of the g/w.

Correct (except remove the word 'normally' from the above sentence :-)

> So if the NAT for masq is done
> in POSTROUTING (after filtering) do I need to except INPUT packets
> to ports in the masquerading range (~61000:65535 ????) ?

No, because the INPUT chain is:
a) only for packets which finally arrive on the local machine
b) after the PREROUTING chain, where the reverse NAT will be automatically 
applied to reply packets, hence changing the Destination Address back to the 
original client.

> The Linux 2.4 Packet Filtering HOWTO appears to suggest that I can
> ignore the fact that I'm nat'ing and use forwarding rules for packets
> being masq'd and de-masq'd and that I do not need to worry about
> INPUT for packets that are going to my masq'd range.

This is correct.

INPUT is *only* for packets destined for the local machine (the one running 
netfilter), and this means after any DNAT has taken place.

FORWARD is only for packets destined for another machine, and this also means 
after any DNAT (automatic or specified in your rules) has taken place.

Remember also that if you specify a SNAT rule in your POSTROUTING chain, then 
netfilter will automagically apply the appropriate DNAT rule to the replies 
in your PREROUTING chain - you do not need to specify a rule to do this.

Antony.

-- 

You can spend the whole of your life trying to be popular,
but at the end of the day the size of the crowd at your funeral
will be largely dictated by the weather.

 - Frank Skinner

masquerading

[Esteban Ribicic]

hello,
im masquerading my local network like this by now:
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
everything works fine.
but, now i added another internet gw (ppp0) wich is balanced (iproute2)
with eth2.
how do i set the masquerading to balance both gws? (eth2 and ppp0) ?
thanks in advance
Steve

masquerading

[Esteban]

hello,
im masquerading my local network like this by now:
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
everything works fine.
but, now i added another internet gw (ppp0) wich is balanced (iproute2)
with eth2.
how do i set the masquerading to balance both gws? (eth2 and ppp0) ?
thanks in advance
Steve

Re: masquerading

[hare ram]

Hi

AFAIK

set another rule with ppp0 instead of eth2
i think it should work

hare
----- Original Message ----- 
From: "Esteban" <eribicic@sinectis.com>
To: <netfilter@lists.netfilter.org>
Sent: Monday, February 24, 2003 2:20 PM
Subject: masquerading


> hello,
> im masquerading my local network like this by now:
> iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
> everything works fine.
> but, now i added another internet gw (ppp0) wich is balanced (iproute2)
> with eth2.
> how do i set the masquerading to balance both gws? (eth2 and ppp0) ?
> thanks in advance
> Steve
> 
> 
> 
> 

Re: masquerading

[Esteban Ribicic]

thanks for the tip..but
ive tryed that, but the second rule does not match..any ther idea?
another:
is any diference on doing -j snat --to--source {internet ip} and give
{internet ip} two values or something like that? instead -j masquerade?
thanks again


On Mon, 2003-02-24 at 07:21, hare ram wrote:
> Hi
> 
> AFAIK
> 
> set another rule with ppp0 instead of eth2
> i think it should work
> 
> hare
> ----- Original Message ----- 
> From: "Esteban" <eribicic@sinectis.com>
> To: <netfilter@lists.netfilter.org>
> Sent: Monday, February 24, 2003 2:20 PM
> Subject: masquerading
> 
> 
> > hello,
> > im masquerading my local network like this by now:
> > iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
> > everything works fine.
> > but, now i added another internet gw (ppp0) wich is balanced (iproute2)
> > with eth2.
> > how do i set the masquerading to balance both gws? (eth2 and ppp0) ?
> > thanks in advance
> > Steve
> > 
> > 
> > 
> > 
> 
> 
> 

Re: masquerading

[Esteban]

ive tryed that, but the second rule does not match..any ther idea?
another:
is any diference on doing -j snat --to--source {internet ip} and give
{internet ip} two values or something like that? instead -j masquerade?
thanks again


On Mon, 2003-02-24 at 07:21, hare ram wrote:
> Hi
> 
> AFAIK
> 
> set another rule with ppp0 instead of eth2
> i think it should work
> 
> hare
> ----- Original Message ----- 
> From: "Esteban" <eribicic@sinectis.com>
> To: <netfilter@lists.netfilter.org>
> Sent: Monday, February 24, 2003 2:20 PM
> Subject: masquerading
> 
> 
> > hello,
> > im masquerading my local network like this by now:
> > iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
> > everything works fine.
> > but, now i added another internet gw (ppp0) wich is balanced
(iproute2)
> > with eth2.
> > how do i set the masquerading to balance both gws? (eth2 and ppp0) ?
> > thanks in advance
> > Steve
> > 
> > 

RE: masquerading

[Michael K]

My idea exactly. Haven't tried it thoe.
Another solution would be to subnet.
Lets say that you use the network 192.168.100.0./24 today. Split them up
in two networks.
Like this
iptables -t nat -A POSTROUTING -s 192.168.100.0/25 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.100.128/25 -o eth2 -j
MASQUERADE

/Klintan

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Esteban
> Sent: Monday, February 24, 2003 11:41 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: masquerading
> 
> 
> 
> ive tryed that, but the second rule does not match..any ther idea?
> another:
> is any diference on doing -j snat --to--source {internet ip}
> and give {internet ip} two values or something like that? 
> instead -j masquerade? thanks again
> 
> 
> On Mon, 2003-02-24 at 07:21, hare ram wrote:
> > Hi
> > 
> > AFAIK
> > 
> > set another rule with ppp0 instead of eth2
> > i think it should work
> > 
> > hare
> > ----- Original Message -----
> > From: "Esteban" <eribicic@sinectis.com>
> > To: <netfilter@lists.netfilter.org>
> > Sent: Monday, February 24, 2003 2:20 PM
> > Subject: masquerading
> > 
> > 
> > > hello,
> > > im masquerading my local network like this by now: iptables -t nat

> > > -A POSTROUTING -o eth2 -j MASQUERADE everything works fine. but, 
> > > now i added another internet gw (ppp0) wich is balanced
> (iproute2)
> > > with eth2.
> > > how do i set the masquerading to balance both gws? (eth2
> and ppp0) ?
> > > thanks in advance Steve
> > > 
> > > 
> 
> 
> 
> 

masquerading

[Wendy Moore]

[-- Attachment #1: Type: text/plain, Size: 1464 bytes --]

Hi All,
 
I want to setup a internet gateway/firewall for my local network by using iptables:

iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE

ip forwarding is enabled,....

 

I can browse on a local workstation to eg. www.openldap.org

(Everything works fine on this site) However other websites do not work eg. www.shoutcast.com. These sites are online (tested them by browsing on the FW computer). 

The browser says it is finding the website, but is waiting for a reply?

Anyone any idea?

FILTER table

Chain INPUT (policy ACCEPT)

target prot opt source destination 

Chain FORWARD (policy ACCEPT)

target prot opt source destination 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination 

 

NAT table:

Chain PREROUTING (policy ACCEPT)

target prot opt source destination 

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination 

MASQUERADE all -- anywhere anywhere 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination 

 

Chain PREROUTING (policy ACCEPT)

target prot opt source destination 

Chain INPUT (policy ACCEPT)

target prot opt source destination 

Chain FORWARD (policy ACCEPT)

target prot opt source destination 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination 

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination 



---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

[-- Attachment #2: Type: text/html, Size: 1953 bytes --]

RE: masquerading

[Mark E. Donaldson]

[-- Attachment #1: Type: text/plain, Size: 2621 bytes --]

This appears to be a classic case of ICMP type 3 code 0 packets being
dropped by your ISP.  Some web sites are working for you because the packets
are getting there, and the server's return packets are getting back to you
just fine.  The sites that appear to be "hanging" are probably due to the DF
packets being dropped because either a reduced MTU or fragmentation is
needed.  However, if the ICMP Path MTU messages are being dropped, your
system is not aware of this.  Add this rule to your script and see if your
problem corrects itself:

$IPT -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu.

Since all of your default policies are set to ACCEPT and you are going out a
ppp0 interface, I'll be shocked to find this is not the problem based on the
information you have supplied.


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Wendy Moore
Sent: Thursday, September 11, 2003 7:10 PM
To: netfilter@lists.netfilter.org
Subject: masquerading


  Hi All,

  I want to setup a internet gateway/firewall for my local network by using
iptables:
  iptables --table nat --append POSTROUTING --out-interface ppp0 -j
MASQUERADE

  ip forwarding is enabled,....



  I can browse on a local workstation to eg. www.openldap.org

  (Everything works fine on this site) However other websites do not work
eg. www.shoutcast.com. These sites are online (tested them by browsing on
the FW computer).

  The browser says it is finding the website, but is waiting for a reply?

  Anyone any idea?

  FILTER table

  Chain INPUT (policy ACCEPT)

  target prot opt source destination

  Chain FORWARD (policy ACCEPT)

  target prot opt source destination

  Chain OUTPUT (policy ACCEPT)

  target prot opt source destination



  NAT table:

  Chain PREROUTING (policy ACCEPT)

  target prot opt source destination

  Chain POSTROUTING (policy ACCEPT)

  target prot opt source destination

  MASQUERADE all -- anywhere anywhere

  Chain OUTPUT (policy ACCEPT)

  target prot opt source destination



  Chain PREROUTING (policy ACCEPT)

  target prot opt source destination

  Chain INPUT (policy ACCEPT)

  target prot opt source destination

  Chain FORWARD (policy ACCEPT)

  target prot opt source destination

  Chain OUTPUT (policy ACCEPT)

  target prot opt source destination

  Chain POSTROUTING (policy ACCEPT)

  target prot opt source destination



----------------------------------------------------------------------------
--
  Do you Yahoo!?
  Yahoo! SiteBuilder - Free, easy-to-use web site design software

[-- Attachment #2: Type: text/html, Size: 4228 bytes --]

RE: masquerading

[Cilliè Burger]

Hi Wendy, 

Sounds like you need the following in the FORWARD chain inside 
the filter table: 

iptables --append FORWARD -proto tcp -m state --state ESTABLISHED,RELATED 
--jump ACCEPT

and 

iptables --append FORWARD -proto udp -m state --state ESTABLISHED,RELATED 
--jump ACCEPT


that should solve your problem, if i understood your question correctly 


-- 
Regards, 

Cilliè Burger 
SA-DOMAIN Internet Services 

Masquerading

[Fritz Mesedilla]

Greetings!

I hope you can help me again with this.
We have remote data centers. 
Only 2 remaining centers are not connected by WAN.

This my current situation:
workstation --- firewall dc#1 --- internet --- firewall dc#2 --- server


Would this be possible with iptables through masquerading:
workstation #1 --- firewall dc#1 --- internet --- firewall dc#2 --- server #1
workstation #2 --- firewall dc#1 --- internet --- firewall dc#2 --- server #1

It means only one ip address from data center #1 is allowed to access the server in data center #2.

I need to share workstations 1 & 2 to use the only ip address from data center #1 allowed to access the server in data center #2.

Thanks in advance.


Cheers,

fritz <www.mesedilla.com>
---
+ Basta Ikaw Lord


----------------------------------------------------------------------
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately by e-mail and delete this e-mail from your
system. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of the company. Finally, the recipient should check this email
and any attachments for the presence of viruses. The company accepts
no liability for any damage caused by any virus transmitted by this
email. 

Overture Media, Inc.
Direct Line: (632) 635-4785
Trunkline:   (632) 631-8971 Local 146
Fax: (632) 637-2206
Level 1 Summit Media Offices, Robinsons Galleria EDSA Cor. Ortigas Ave., Quezon City 1100

MASQUERADING

[Chandra.Vempali]

Hi all,
I have a question on MASQUERADE

Suppose I masquerade ppp0 using
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

And now all packets will have a src ip addr as 192.168.0.2 will be
changed to that of ppp0 , for example say 10.10.10.1
Now my question is, when the reply comes, their destination addr will be
that of ppp0 i.e 10.10.10.1
Who will reverse translate this 10.10.10.1 destination addr to actual
192.168.0.2 ?

Thanks,

Chandra 
*Disclaimer*
"This e-mail and any attachments are confidential and may contain trade
secrets or privileged or undisclosed information. They may also be
subject to copyright protection. Please do not copy, distribute or
forward this email to anyone unless authorised. If you are not a named
addressee, you must not use, disclose, retain or reproduce all or any
part of the information contained in this e-mail or any attachments. If
you have received this email by mistake please notify the sender
immediately by return email and destroy/delete all copies of the email."

Re: MASQUERADING

[Jörg Harmuth]

Chandra.Vempali@infineon.com schrieb:

> Suppose I masquerade ppp0 using
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> 
> And now all packets will have a src ip addr as 192.168.0.2 will be
> changed to that of ppp0 , for example say 10.10.10.1
> Now my question is, when the reply comes, their destination addr will be
> that of ppp0 i.e 10.10.10.1
> Who will reverse translate this 10.10.10.1 destination addr to actual
> 192.168.0.2 ?

This is the job of connection tracking, basically ipt_conntrack.

Have a nice time,

Joerg

Re: MASQUERADING

[Jan Engelhardt]

>> Suppose I masquerade ppp0 using
>> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>> 
>> And now all packets will have a src ip addr as 192.168.0.2 will be
>> changed to that of ppp0 , for example say 10.10.10.1

No, it does not say "changed to that of ppp0" but:
_change_all_packets_that_go_out_of_ppp0_ (...to the address belonging to ppp0)

>> Now my question is, when the reply comes, their destination addr will be
>> that of ppp0 i.e 10.10.10.1
>> Who will reverse translate this 10.10.10.1 destination addr to actual
>> 192.168.0.2 ?

>This is the job of connection tracking, basically ipt_conntrack.

Nitpick: ip_conntrack.
ipt_conntrack is the module for the -m conntrack match used by iptables.


Jan Engelhardt
-- 

Re: MASQUERADING

[Jörg Harmuth]

Jan Engelhardt schrieb:
>>>Suppose I masquerade ppp0 using
>>>iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>>>
>>>And now all packets will have a src ip addr as 192.168.0.2 will be
>>>changed to that of ppp0 , for example say 10.10.10.1
> 
> 
> No, it does not say "changed to that of ppp0" but:
> _change_all_packets_that_go_out_of_ppp0_ (...to the address belonging to ppp0)
> 
> 
>>>Now my question is, when the reply comes, their destination addr will be
>>>that of ppp0 i.e 10.10.10.1
>>>Who will reverse translate this 10.10.10.1 destination addr to actual
>>>192.168.0.2 ?
> 
> 
>>This is the job of connection tracking, basically ipt_conntrack.
> 
> 
> Nitpick: ip_conntrack.
> ipt_conntrack is the module for the -m conntrack match used by iptables.

Oohps - my fault :) Thanks for correction.

Have a nice time,

Joerg