SNAT & Squence Numbers

SNAT & Squence Numbers

[mike bramm]

[-- Attachment #1: Type: text/plain, Size: 1028 bytes --]

Hi,
    I'm a Router/PIX guy that is just getting into the Linux/IPTables
scene. I've read the man pages and searched the web for information on
IPTables. And I'm not able to find answers to some of my questions.
Maybe you can help?

   * If SNAT is configured for many to one (PAT), then I would presume
     that the connections are tracked by sequence numbers. Are the
     sequence numbers picked randomly, like the PIX? And is there a
     range in with they are picked from? What mod does this?

   * A syntax question. I've looked at alot of syntax examples and I've
     noticed one character that I can't seem to match up with any of the
     tutorials or man
     pages.
     $IPTABLES -A INPUT $WAN_IFACE \ -j DROP   What the heck is "\"? It
     looks like it would be used to separate the match and the target,
     but is not really necessary. Is this just a personal preference or
     is it needed?

Thanks for your time. I wish I had heard about IPTables a year ago.
Anthony Stone does have cool sayings.
mike


[-- Attachment #2: Type: text/html, Size: 1752 bytes --]

Re: SNAT & Squence Numbers

[Dax Kelson]

On Mon, 2002-11-11 at 10:23, mike bramm wrote:
> Hi, 
>     I'm a Router/PIX guy that is just getting into the Linux/IPTables
> scene. I've read the man pages and searched the web for information on
> IPTables. And I'm not able to find answers to some of my questions.
> Maybe you can help? 
>       * If SNAT is configured for many to one (PAT), then I would
>         presume that the connections are tracked by sequence numbers.
>         Are the sequence numbers picked randomly, like the PIX? And is
>         there a range in with they are picked from? What mod does
>         this?

AFAIK, the sequence numbers are left intact. I could be wrong though. A
quick check with a packet sniffer should answer this.

>       * A syntax question. I've looked at alot of syntax examples and
>         I've noticed one character that I can't seem to match up with
>         any of the tutorials or man
>         pages.                                                                                                         $IPTABLES -A INPUT $WAN_IFACE \ -j DROP   What the heck is "\"? It looks like it would be used to separate the match and the target, but is not really necessary. Is this just a personal preference or is it needed?

This isn't iptables syntax at all. 

The "\" at the end of a line is known as the continuation character.
This is bourne shell syntax. It means that the next line should be
treated as a continuation of the current line. The "\" character NOT at
the end of the line, is the escape character and removes any special
treatment of the following character and causes it to be treated
literally.

Dax

RE: SNAT & Squence Numbers

[Rob Sterenborg]

> - A syntax question. I've looked at alot of syntax
> examples and I've noticed one character that I can't
> seem to match up with any of the tutorials or man pages.
> $IPTABLES -A INPUT $WAN_IFACE \ -j DROP
> What the heck is "\"? It looks like it would be used to
> separate the match and the target, but is not really
> necessary. Is this just a personal preference or is
> it needed?

"\" is used to continue a line on the next line.
The "\" char itself will be discarded when all lines are put together the
command is executed.

Take the following line :
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
This could (if you wanted to) be rewritten as :
iptables -A INPUT \
         -i eth0 \
         -m state --state RELATED,ESTABLISHED \
         -j ACCEPT


Rob