From: Cedric Blancher <blancher@cartel-securite.fr>
To: Aaron Clausen <maureen-taocow@alberni.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: cbq.init and iptables NAT routing
Date: 04 Oct 2002 02:30:56 +0200 [thread overview]
Message-ID: <1033691456.3545.22.camel@elendil> (raw)
In-Reply-To: <Pine.LNX.4.33.0210031314220.27868-100000@ts1.alberni.net>
I checked the code, and discovered I was wrong. Shaping is done _after_
Netfilter, i.e. after POSTROUTING chain.
I just tried this :
RULE=192.168.10.1/32
I ping 192.168.10.1 and stats are growing, so it matches.
Then, I'll DNAT in OUTPUT 192.168.10.1 to 192.168.10.12
iptables -t nat -A OUTPUT -d 192.168.10.1 -j DNAT --to 192.168.10.12
It does not match anymore => DNAT is done _before_ shaping.
No I flush
iptables -t nat -F
then set
RULE=192.168.10.11/32,
I ping 192.168.10.1, and counters are growing. It matches. Then I set
SNAT :
iptables -t nat -A POSTROUTING -d 192.168.10.1 -j SNAT --to 192.168.10.2
ip addr add 192.168.10.2 dev eth0
So I use 192.168.10.2 to emit py pings. And my class is no more reached
=> SNAT is done _before_ shaping also...
If I set :
RULE=192.168.10.2/32,
Class is reached again. So I was wrong... Sorry.
To answer your message :
Le jeu 03/10/2002 à 22:15, Aaron Clausen a écrit :
> iptables -t nat -A PREROUTING -i eth0 -d 64.251.69.2 -j DNAT --to 10.102.106.2
eth0 : RULE=64.251.69.2,
eth1 : RULE=10.102.106.2
> iptables -t nat -A POSTROUTING -o eth0 -s 10.102.106.2 -j SNAT --to 64.251.69.2
eth0 : RULE=64.251.69.2,
eth1 : RULE=10.102.106.2
[...]
> iptables -t nat -A POSTROUTING -o eth0 -s 10.101.104.0/21 -j MASQUERADE
eth0 : RULE=<eth0_IP>,
eth1 : RULE=10.101.104.0/21
Hope this will help you at last, and sorry again for the mistake. Going
to bed now, seems to be high time ;)
--
Cédric Blancher <blancher@cartel-securite.fr>
Consultant en sécurité des systèmes et réseaux - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
prev parent reply other threads:[~2002-10-04 0:30 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-03 16:30 cbq.init and iptables NAT routing Aaron Clausen
2002-10-03 19:12 ` Cedric Blancher
2002-10-03 20:15 ` Aaron Clausen
2002-10-04 0:30 ` Cedric Blancher [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1033691456.3545.22.camel@elendil \
--to=blancher@cartel-securite.fr \
--cc=maureen-taocow@alberni.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox