NAT overlaps with ports - Kapetanakis Giannis

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kapetanakis Giannis <bilias@edu.physics.uoc.gr>
To: netfilter@vger.kernel.org
Subject: NAT overlaps with ports
Date: Wed, 23 Sep 2009 12:51:11 +0300	[thread overview]
Message-ID: <4AB9EF8F.4020307@edu.physics.uoc.gr> (raw)

Hi,

I have the following setup
kernel: 2.6.30.5-43.fc11
iptables-1.4.3.1-1.fc11

192.168.1.0/24 is my public  IP range (eth0)
10.0.0.0/24 is my private IP range (eth1)
192.168.1.1 public IP of server
10.0.0.1 private IP of server


I'd like to add the following rules in the nat table:

[1] -A PREROUTING -i eth0 -d 192.168.1.1 -p tcp --dport 8080 -j DNAT 
--to-destination 10.0.0.1:8080
[2] -A POSTROUTING -o eth0 -s 10.0.0.1 -p tcp --sport 8080 -j SNAT 
--to-source 192.168.1.1:8080
[3] -A POSTROUTING -o eth0 -s 10.0.0.0/24 --to-source 
192.168.1.1-192.168.1.10

According to http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html
iptables is clever enough to avoid overlaps and clashes.
Are we sure that there isn't any chance to map a random packet (not from 
the server)
to 192.168.1.1:8080 in rule [3]?

I mean, does rule [2] reserve port 8080 of 192.168.1.1 ?

best regards,

Giannis

next             reply	other threads:[~2009-09-23  9:51 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-09-23  9:51 Kapetanakis Giannis [this message]
2009-09-23 10:46 ` NAT overlaps with ports Pascal Hambourg
2009-09-23 11:14   ` Kapetanakis Giannis
2009-09-23 13:45     ` Pascal Hambourg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4AB9EF8F.4020307@edu.physics.uoc.gr \
    --to=bilias@edu.physics.uoc.gr \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.