* MASQUERADE and ACCEPT targets
@ 2010-02-24 14:45 ratheesh k
2010-02-24 14:57 ` Mart Frauenlob
0 siblings, 1 reply; 5+ messages in thread
From: ratheesh k @ 2010-02-24 14:45 UTC (permalink / raw)
To: netfilter
All ,
R1) iptables -t nat -I POSTROUTING -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
R2) iptables -t nat -A POSTROUTING -o eth0 -j MASQERADE
machine "B"
------------------------------------------
| |
| |
machine "A" ------> eth0 |
|eth1----------------------------------------> internet
| |
| |
------------------------------------------
I applied rules R2 and i am able to browse internet from machine A .
1. Is there any problem if i apply R1 ?
2. if packet state become ESTABLISHED ( not a new packet ) , do we
need MASQERADE target for remaing packets ???
Thanks,
Ratheesh
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: MASQUERADE and ACCEPT targets 2010-02-24 14:45 MASQUERADE and ACCEPT targets ratheesh k @ 2010-02-24 14:57 ` Mart Frauenlob 2010-02-25 4:01 ` ratheesh k 0 siblings, 1 reply; 5+ messages in thread From: Mart Frauenlob @ 2010-02-24 14:57 UTC (permalink / raw) To: netfilter On 24.02.2010 15:45, netfilter-owner@vger.kernel.org wrote: > All , > > R1) iptables -t nat -I POSTROUTING -o eth0 -m state --state > ESTABLISHED,RELATED -j ACCEPT > R2) iptables -t nat -A POSTROUTING -o eth0 -j MASQERADE > > > machine "B" > ------------------------------------------ > | | > | | > machine "A" ------> eth0 | > |eth1----------------------------------------> internet > | | > | | > ------------------------------------------ > > I applied rules R2 and i am able to browse internet from machine A . > > 1. Is there any problem if i apply R1 ? > 2. if packet state become ESTABLISHED ( not a new packet ) , do we > need MASQERADE target for remaing packets ??? > > Thanks, > Ratheesh The nat table only sees state NEW packets. A rule with state "ESTABLISHED,RELATED" will never match there. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE is good (without the typo). Do filtering (ACCEPT/DROP/REJECT) in the filter table. iptables -A FORWARD -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT same for OUTPUT maybe. Best regards Mart ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: MASQUERADE and ACCEPT targets 2010-02-24 14:57 ` Mart Frauenlob @ 2010-02-25 4:01 ` ratheesh k 2010-02-25 9:59 ` Mart Frauenlob 0 siblings, 1 reply; 5+ messages in thread From: ratheesh k @ 2010-02-25 4:01 UTC (permalink / raw) To: netfilter; +Cc: mart.frauenlob >>>>>>>>>>>> The nat table only sees state NEW packets. my default policy for FORWARD chain is ACCEPT .i failed to describe my question .Sorry for my bad english . machine "B" ------------------------------------------ | | | | machine "A" ------> eth0 | | eth1----------------------------------------> internet | | | | ------------------------------------------ Suppose i browse "yahoo.com" from machine A. First sync packet is sent from machine A to Gateway machine "B" Packet state is NEW and masqueraded to eth1 . when a packet comes from internet back , state of packet is set as ESTABLISHED . After the state is truned to ESTABLISHED , do we really require MASQURADE rule for next packets ? without this MASQUERADE target also , will the connection continue to work ? Thanks, Ratheesh On Wed, Feb 24, 2010 at 8:27 PM, Mart Frauenlob <mart.frauenlob@chello.at> wrote: > On 24.02.2010 15:45, netfilter-owner@vger.kernel.org wrote: >> All , >> >> R1) iptables -t nat -I POSTROUTING -o eth0 -m state --state >> ESTABLISHED,RELATED -j ACCEPT >> R2) iptables -t nat -A POSTROUTING -o eth0 -j MASQERADE >> >> >> machine "B" >> ------------------------------------------ >> | | >> | | >> machine "A" ------> eth0 | >> |eth1----------------------------------------> internet >> | | >> | | >> ------------------------------------------ >> >> I applied rules R2 and i am able to browse internet from machine A . >> >> 1. Is there any problem if i apply R1 ? >> 2. if packet state become ESTABLISHED ( not a new packet ) , do we >> need MASQERADE target for remaing packets ??? >> >> Thanks, >> Ratheesh > > The nat table only sees state NEW packets. > A rule with state "ESTABLISHED,RELATED" will never match there. > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE is good (without > the typo). > > Do filtering (ACCEPT/DROP/REJECT) in the filter table. > iptables -A FORWARD -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT > > same for OUTPUT maybe. > > Best regards > > Mart > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: MASQUERADE and ACCEPT targets 2010-02-25 4:01 ` ratheesh k @ 2010-02-25 9:59 ` Mart Frauenlob 2010-02-25 12:36 ` ratheesh k 0 siblings, 1 reply; 5+ messages in thread From: Mart Frauenlob @ 2010-02-25 9:59 UTC (permalink / raw) To: netfilter On 25.02.2010 05:01, netfilter-owner@vger.kernel.org wrote: >>>>>>>>>>>>> The nat table only sees state NEW packets. > > my default policy for FORWARD chain is ACCEPT .i failed to describe my > question .Sorry for my bad english . > > > > machine "B" > ------------------------------------------ > | | > | | > machine "A" ------> eth0 | > | > eth1----------------------------------------> internet > | | > | | > ------------------------------------------ > > > > Suppose i browse "yahoo.com" from machine A. First sync packet is sent > from machine A to Gateway machine "B" > Packet state is NEW and masqueraded to eth1 . when a packet comes from > internet back , state of packet is set as ESTABLISHED . After the > state is truned to ESTABLISHED , do we really require MASQURADE rule > for next packets ? > > without this MASQUERADE target also , will the connection continue to work ? > > Thanks, > Ratheesh > > > > > > > > On Wed, Feb 24, 2010 at 8:27 PM, Mart Frauenlob > <mart.frauenlob@chello.at> wrote: >> On 24.02.2010 15:45, netfilter-owner@vger.kernel.org wrote: >>> All , >>> >>> R1) iptables -t nat -I POSTROUTING -o eth0 -m state --state >>> ESTABLISHED,RELATED -j ACCEPT >>> R2) iptables -t nat -A POSTROUTING -o eth0 -j MASQERADE >>> >>> >>> machine "B" >>> ------------------------------------------ >>> | | >>> | | >>> machine "A" ------> eth0 | >>> |eth1----------------------------------------> internet >>> | | >>> | | >>> ------------------------------------------ >>> >>> I applied rules R2 and i am able to browse internet from machine A . >>> >>> 1. Is there any problem if i apply R1 ? >>> 2. if packet state become ESTABLISHED ( not a new packet ) , do we >>> need MASQERADE target for remaing packets ??? >>> >>> Thanks, >>> Ratheesh >> >> The nat table only sees state NEW packets. >> A rule with state "ESTABLISHED,RELATED" will never match there. >> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE is good (without >> the typo). >> >> Do filtering (ACCEPT/DROP/REJECT) in the filter table. >> iptables -A FORWARD -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT >> >> same for OUTPUT maybe. >> >> Best regards Do you read the reply? Did you understand it? Does not look so. Please go and learn netfilter basics. (netfilter.org, http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html) A simple g00gle search will give you ~ 120.000 results about masquerading: http://www.google.at/search?q=iptables+nat+masquerade&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a P.S. why CC me if i explicitly set the reply addr. to netfilter@....??? Bye bye Mart ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: MASQUERADE and ACCEPT targets 2010-02-25 9:59 ` Mart Frauenlob @ 2010-02-25 12:36 ` ratheesh k 0 siblings, 0 replies; 5+ messages in thread From: ratheesh k @ 2010-02-25 12:36 UTC (permalink / raw) To: netfilter Thanks a ton . On Thu, Feb 25, 2010 at 3:29 PM, Mart Frauenlob <mart.frauenlob@chello.at> wrote: > On 25.02.2010 05:01, netfilter-owner@vger.kernel.org wrote: >>>>>>>>>>>>>> The nat table only sees state NEW packets. >> >> my default policy for FORWARD chain is ACCEPT .i failed to describe my >> question .Sorry for my bad english . >> >> >> >> machine "B" >> ------------------------------------------ >> | | >> | | >> machine "A" ------> eth0 | >> | >> eth1----------------------------------------> internet >> | | >> | | >> ------------------------------------------ >> >> >> >> Suppose i browse "yahoo.com" from machine A. First sync packet is sent >> from machine A to Gateway machine "B" >> Packet state is NEW and masqueraded to eth1 . when a packet comes from >> internet back , state of packet is set as ESTABLISHED . After the >> state is truned to ESTABLISHED , do we really require MASQURADE rule >> for next packets ? >> >> without this MASQUERADE target also , will the connection continue to work ? >> >> Thanks, >> Ratheesh >> >> >> >> >> >> >> >> On Wed, Feb 24, 2010 at 8:27 PM, Mart Frauenlob >> <mart.frauenlob@chello.at> wrote: >>> On 24.02.2010 15:45, netfilter-owner@vger.kernel.org wrote: >>>> All , >>>> >>>> R1) iptables -t nat -I POSTROUTING -o eth0 -m state --state >>>> ESTABLISHED,RELATED -j ACCEPT >>>> R2) iptables -t nat -A POSTROUTING -o eth0 -j MASQERADE >>>> >>>> >>>> machine "B" >>>> ------------------------------------------ >>>> | | >>>> | | >>>> machine "A" ------> eth0 | >>>> |eth1----------------------------------------> internet >>>> | | >>>> | | >>>> ------------------------------------------ >>>> >>>> I applied rules R2 and i am able to browse internet from machine A . >>>> >>>> 1. Is there any problem if i apply R1 ? >>>> 2. if packet state become ESTABLISHED ( not a new packet ) , do we >>>> need MASQERADE target for remaing packets ??? >>>> >>>> Thanks, >>>> Ratheesh >>> >>> The nat table only sees state NEW packets. >>> A rule with state "ESTABLISHED,RELATED" will never match there. >>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE is good (without >>> the typo). >>> >>> Do filtering (ACCEPT/DROP/REJECT) in the filter table. >>> iptables -A FORWARD -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT >>> >>> same for OUTPUT maybe. >>> >>> Best regards > > Do you read the reply? > Did you understand it? > Does not look so. > Please go and learn netfilter basics. (netfilter.org, > http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html) > > A simple g00gle search will give you ~ 120.000 results about masquerading: > http://www.google.at/search?q=iptables+nat+masquerade&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a > > P.S. why CC me if i explicitly set the reply addr. to netfilter@....??? > > Bye bye > > Mart > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-02-25 12:36 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-02-24 14:45 MASQUERADE and ACCEPT targets ratheesh k 2010-02-24 14:57 ` Mart Frauenlob 2010-02-25 4:01 ` ratheesh k 2010-02-25 9:59 ` Mart Frauenlob 2010-02-25 12:36 ` ratheesh k
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.