From: Philip Craig <philipc@snapgear.com>
To: Jesse Gordon <jesseg@nikola.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Unmatchable packet?
Date: Wed, 23 Nov 2005 17:19:20 +1000 [thread overview]
Message-ID: <438417F8.3060907@snapgear.com> (raw)
In-Reply-To: <WorldClient-F200511222303.AA03060138@nikola.com>
On 11/23/2005 05:03 PM, Jesse Gordon wrote:
> I agree -- to do as my little example showed would be useless -- but my
> real goal is to route the reply traffic via a different route than the
> request traffic -- I already got it to send the replies out a different
> network interface then the requests came in, but I haven't yet figured out
> how to rewrite the source address of the replies.
Why do you need to rewrite the address?
Just routing the packet should be enough, unless there is an
intermediate firewall that is dropping the packets based on the
source address.
> I don't quite understand why iptables wouldn't be able to match just any
> packet going into or out of any given network card, regardless of whether
> it was related to any other packet or not.
>
> I may be a little confused. It seems to me that my experiments showed that
> the act of permitting a certain packet criteria to exit a specified
> ethernet port does not inherently permit the responses for that connection
> back in. It seems to me that I had to either tell it to allow related in,
> or specifically allow the replies back. I'll check into it more.
I think you are confusing the nat and filter tables.
The nat table only sees the first packet of a connection, because it
is designed to set up the nat mapping based on the first packet only.
The filter table does see every packet, which is why you need the rule
to allow established/related packets.
The mangle table also sees every packet. It would be possible to write
a custom target for use in the mangle table that changes the source
address as you desire. However, noone has written such a target as
far as I know.
next prev parent reply other threads:[~2005-11-23 7:19 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-22 20:58 Unmatchable packet? Jesse Gordon
2005-11-22 21:28 ` Jesse Gordon
2005-11-23 0:46 ` Nikolai Georgiev
2005-11-23 1:46 ` Jesse Gordon
2005-11-23 6:05 ` Philip Craig
2005-11-23 7:03 ` Jesse Gordon
2005-11-23 7:19 ` Philip Craig [this message]
2005-11-24 11:48 ` Jesse Gordon
2005-11-24 14:29 ` Robert Nichols
2005-11-25 1:11 ` Philip Craig
2005-11-28 19:11 ` Jesse Gordon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=438417F8.3060907@snapgear.com \
--to=philipc@snapgear.com \
--cc=jesseg@nikola.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.