About using -i with MASQUERADE

All of lore.kernel.org
 help / color / mirror / Atom feed

* About using -i with MASQUERADE
@ 2016-01-22 11:53 Fabio Pedretti
  2016-01-22 14:07 ` Bastian Bittorf
  2016-01-29 10:10 ` Vigneswaran R
  0 siblings, 2 replies; 6+ messages in thread
From: Fabio Pedretti @ 2016-01-22 11:53 UTC (permalink / raw)
  To: netfilter

Hi, I would like to do the following:
-t nat -A POSTROUTING -i eth3 -j MASQUERADE

but I get this error:
iptables v1.4.21: Can't use -i with POSTROUTING

So I am plannig to use:
-t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

However I find the latter, working solution less smarter than the
first, non working. For example I should add rules for every network
coming from that interface that may also change in the future.

Is there a reason why -i is forbidden?
Is there a better solution than using -s?

Thanks.

-- 
ing. Pedretti Fabio
Responsabile U.O.C. "Reti e Sistemi"
http://www.unibs.it/organizzazione/amministrazione-centrale/servizio-servizi-ict/uoc-reti-e-sistemi
Universit√† degli Studi di Brescia
Via Valotti, 9 - 25121 Brescia
E-mail: fabio.pedretti@unibs.it

-- 
Informativa sulla Privacy: http://www.unibs.it/node/8155

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: About using -i with MASQUERADE
  2016-01-22 11:53 About using -i with MASQUERADE Fabio Pedretti
@ 2016-01-22 14:07 ` Bastian Bittorf
  2016-01-29 10:10 ` Vigneswaran R
  1 sibling, 0 replies; 6+ messages in thread
From: Bastian Bittorf @ 2016-01-22 14:07 UTC (permalink / raw)
  To: Fabio Pedretti; +Cc: netfilter

* Fabio Pedretti <fabio.pedretti@unibs.it> [22.01.2016 13:49]:
> Hi, I would like to do the following:
> -t nat -A POSTROUTING -i eth3 -j MASQUERADE

this explains, why -i is not possible here:
https://en.wikipedia.org/wiki/Netfilter#/media/File:Netfilter-packet-flow.svg

bye, bastian

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: About using -i with MASQUERADE
  2016-01-22 11:53 About using -i with MASQUERADE Fabio Pedretti
  2016-01-22 14:07 ` Bastian Bittorf
@ 2016-01-29 10:10 ` Vigneswaran R
  2016-01-29 11:26   ` Mart Frauenlob
  1 sibling, 1 reply; 6+ messages in thread
From: Vigneswaran R @ 2016-01-29 10:10 UTC (permalink / raw)
  To: Fabio Pedretti, netfilter

On 01/22/2016 05:23 PM, Fabio Pedretti wrote:
> Hi, I would like to do the following:
> -t nat -A POSTROUTING -i eth3 -j MASQUERADE
>
> but I get this error:
> iptables v1.4.21: Can't use -i with POSTROUTING
>
> So I am plannig to use:
> -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
>
> However I find the latter, working solution less smarter than the
> first, non working. For example I should add rules for every network
> coming from that interface that may also change in the future.
>
> Is there a reason why -i is forbidden?

I think, the incoming interface information of a packet is not retained 
until the POSTROUTING chain. (only available upto INPUT/FORWARD chain).

> Is there a better solution than using -s?

In the FORWARDING chain, you can mark the packets based on incoming 
Interface. Then use the mark to MASQUERADE the packets at the 
POSTROUTING chain. eg.,

-t nat -A FORWARD -i eth3 -j MARK --set-mark 0xffff
-t nat -A POSTROUTING -m mark --mark 0xffff  -j MASQUERADE

(I hope this should work. However, I haven't tried this by myself.)

Vignesh

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: About using -i with MASQUERADE
  2016-01-29 10:10 ` Vigneswaran R
@ 2016-01-29 11:26   ` Mart Frauenlob
  2016-01-29 11:34     ` Vigneswaran R
  2016-01-29 21:25     ` Pascal Hambourg
  0 siblings, 2 replies; 6+ messages in thread
From: Mart Frauenlob @ 2016-01-29 11:26 UTC (permalink / raw)
  To: Vigneswaran R; +Cc: Fabio Pedretti, netfilter

On 29.01.2016 11:10, Vigneswaran R wrote:
[...]
>
> In the FORWARDING chain, you can mark the packets based on incoming
> Interface. Then use the mark to MASQUERADE the packets at the
> POSTROUTING chain. eg.,
>
> -t nat -A FORWARD -i eth3 -j MARK --set-mark 0xffff
> -t nat -A POSTROUTING -m mark --mark 0xffff  -j MASQUERADE
>
> (I hope this should work. However, I haven't tried this by myself.)
>
> Vignesh


Hello,

there is no FORWARD chain in the nat table. And marking in the nat table 
will only mark packets of conntrack state NEW.
Better do the marking in the mangle or filter table.

Best regards,

Mart


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: About using -i with MASQUERADE
  2016-01-29 11:26   ` Mart Frauenlob
@ 2016-01-29 11:34     ` Vigneswaran R
  2016-01-29 21:25     ` Pascal Hambourg
  1 sibling, 0 replies; 6+ messages in thread
From: Vigneswaran R @ 2016-01-29 11:34 UTC (permalink / raw)
  To: mart.frauenlob; +Cc: Fabio Pedretti, netfilter

On 01/29/2016 04:56 PM, Mart Frauenlob wrote:
> On 29.01.2016 11:10, Vigneswaran R wrote:
> [...]
>>
>> In the FORWARDING chain, you can mark the packets based on incoming
>> Interface. Then use the mark to MASQUERADE the packets at the
>> POSTROUTING chain. eg.,
>>
>> -t nat -A FORWARD -i eth3 -j MARK --set-mark 0xffff
>> -t nat -A POSTROUTING -m mark --mark 0xffff  -j MASQUERADE
>>
>> (I hope this should work. However, I haven't tried this by myself.)
>>
>> Vignesh
>
>
> Hello,
>
> there is no FORWARD chain in the nat table. And marking in the nat 
> table will only mark packets of conntrack state NEW.
> Better do the marking in the mangle or filter table.

Oops, I intended filter table only. (copy paste error).

-t filter -A FORWARD -i eth3 -j MARK --set-mark 0xffff

Vignesh

>
> Best regards,
>
> Mart
>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: About using -i with MASQUERADE
  2016-01-29 11:26   ` Mart Frauenlob
  2016-01-29 11:34     ` Vigneswaran R
@ 2016-01-29 21:25     ` Pascal Hambourg
  1 sibling, 0 replies; 6+ messages in thread
From: Pascal Hambourg @ 2016-01-29 21:25 UTC (permalink / raw)
  To: mart.frauenlob; +Cc: Vigneswaran R, Fabio Pedretti, netfilter

Mart Frauenlob a écrit :
> On 29.01.2016 11:10, Vigneswaran R wrote:
> [...]
>> In the FORWARDING chain, you can mark the packets based on incoming
>> Interface. Then use the mark to MASQUERADE the packets at the
>> POSTROUTING chain. eg.,
>>
>> -t nat -A FORWARD -i eth3 -j MARK --set-mark 0xffff
>> -t nat -A POSTROUTING -m mark --mark 0xffff  -j MASQUERADE
> 
> there is no FORWARD chain in the nat table.

Indeed.

> And marking in the nat table 
> will only mark packets of conntrack state NEW.

It doesn't matter. Anyway, MASQUERADE is in the nat table too and only
processes packets in the NEW state.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2016-01-29 21:25 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-22 11:53 About using -i with MASQUERADE Fabio Pedretti
2016-01-22 14:07 ` Bastian Bittorf
2016-01-29 10:10 ` Vigneswaran R
2016-01-29 11:26   ` Mart Frauenlob
2016-01-29 11:34     ` Vigneswaran R
2016-01-29 21:25     ` Pascal Hambourg

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.