Re: DNAT with orignal source address

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@lists.netfilter.org
Subject: Re: DNAT with orignal source address
Date: Thu, 03 Aug 2006 17:14:18 +0200	[thread overview]
Message-ID: <44D212CA.3060609@plouf.fr.eu.org> (raw)
In-Reply-To: <A78C6C481BFAE949BC5990E1EEB2FE125826@q.LeBlancNet.us>

Robert LeBlanc a écrit :
>   Thanks for the feedback. I am currently using the following as my
> general NAT that catches everything that is not my servers.
[...]
> #General nat
> 
> iptables -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1

And "everything" means *really* ANY source address from ANY interface, 
including not only your private subnet but also the whole internet 
0.0.0.0/0 !

> What exactly is the difference between --to and
> --to-source/--to-destination, is it just an alias?

Yes, --to is just shorter and can be used in both SNAT and DNAT.

> One question that I have regarding the recipe that you provided 
> is that since I have machines with public addresses scattered through 
> the 192.168.2.0/24 subnet would it still be matching more then it 
> should?

What do you mean ?

> Or does providing it a subnet and an out interface try to 
> prevent NATing on inbound traffic as well?

Yes. The subnet condition prevent the rule to apply to any internet 
source address (including the NAT box own public address), and the 
output interface condition prevent the rule to apply to any connection 
coming from the outside. Actually either condition should be sufficient 
to prevent the undesired behaviour you described, but both won't harm. 
Of course it must be placed after the more specific SNAT rules.

next prev parent reply	other threads:[~2006-08-03 15:14 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-08-03 14:34 DNAT with orignal source address Robert LeBlanc
2006-08-03 15:14 ` Pascal Hambourg [this message]
  -- strict thread matches above, loose matches on Subject: below --
2006-08-03 15:50 Robert LeBlanc
2006-08-03 14:52 Robert LeBlanc
2006-08-02 22:34 Robert LeBlanc
2006-08-02 23:37 ` Pascal Hambourg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44D212CA.3060609@plouf.fr.eu.org \
    --to=pascal.mail@plouf.fr.eu.org \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.