Table NAT and MANGLE

All of lore.kernel.org
 help / color / mirror / Atom feed

* Table NAT and MANGLE
@ 2006-03-02 20:29 Gervasio Bernal
  2006-03-03 16:04 ` Chinh Nguyen
  0 siblings, 1 reply; 2+ messages in thread
From: Gervasio Bernal @ 2006-03-02 20:29 UTC (permalink / raw)
  To: netfilter-devel

Hi all!!

Suppose I have this 2 rules, one in mangle and the other one in NAT table:

#iptables -t mangle -A POSTROUTING -o eth0 -j TTL --ttl-set 64
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

So, every time a packet goes out through eth0 first it sets the TTL to
64 and then do the masquerade. Is there any way to do this but in
opposite order? First masquerade and the TTL.
Maybe this example is not very clear, but I'm developing a module that
needs to match a packet after masquerade.

Thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Table NAT and MANGLE
  2006-03-02 20:29 Table NAT and MANGLE Gervasio Bernal
@ 2006-03-03 16:04 ` Chinh Nguyen
  0 siblings, 0 replies; 2+ messages in thread
From: Chinh Nguyen @ 2006-03-03 16:04 UTC (permalink / raw)
  To: netfilter-devel

Gervasio Bernal wrote:
> Hi all!!
> 
> Suppose I have this 2 rules, one in mangle and the other one in NAT table:
> 
> #iptables -t mangle -A POSTROUTING -o eth0 -j TTL --ttl-set 64
> #iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> 
> So, every time a packet goes out through eth0 first it sets the TTL to
> 64 and then do the masquerade. Is there any way to do this but in
> opposite order? First masquerade and the TTL.
> Maybe this example is not very clear, but I'm developing a module that
> needs to match a packet after masquerade.
> 
> Thanks.
> 

>From the manual for SNAT "... and rules should cease being examined". You can't
do anything after SNAT. Since MASQUERADE is kind of a special case of SNAT, IMO,
you can't use another rule after MASQUERADE either.

It should be noted that there seems to be at least 1 exception, although I don't
know if there are others.

For example, with the latest iptables & kernel (2.6.16-rc4 as of this writing),
you can SNAT (probably MASQUERADE) or DNAT before encrypting a packet with
IPsec. This is accomplished by using the -m policy module.

iptables -A POSTROUTING -t nat -m policy ... -j SNAT.

In other words, any packet that matches an IPSec policy can then be SNAT/DNAT
before encryption/decryption. Practically, there is an action (encryption) that
is applied after the NAT. Functionally though, it's still only 1 SNAT/DNAT rule
 after which no other will apply.

But perhaps there are other "2 rules in 1" exceptions. I don't know myself.

Regards.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2006-03-03 16:04 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-03-02 20:29 Table NAT and MANGLE Gervasio Bernal
2006-03-03 16:04 ` Chinh Nguyen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.