FORWARDING and NAT chains

FORWARDING and NAT chains

[Srinivasa Hebbar]

Hello,

I believe that the NAT PREROUTING and POSTROUTING will 
always takes place for all the incoming/outgoing packets
irrespective of whether the packet is destined to the node or not.

I have a situvation that if the dest. IP address of the packet is
for the local node, then apply NAT rule, otherwise it should simply
forward the packet according to the routing table.

How can I achive the above?

Any help is very much appreciated.

Regards,
S. Hebbar.

Re: FORWARDING and NAT chains

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 864 bytes --]

On Thu, 2004-01-29 at 16:02, Srinivasa Hebbar wrote:
> Hello,
> 
> I believe that the NAT PREROUTING and POSTROUTING will 
> always takes place for all the incoming/outgoing packets
> irrespective of whether the packet is destined to the node or not.
> 
> I have a situvation that if the dest. IP address of the packet is
> for the local node, then apply NAT rule, otherwise it should simply
> forward the packet according to the routing table.
> 
> How can I achive the above?
> 
Use the INPUT chain of the nat table.

> Any help is very much appreciated.
> 
> Regards,
> S. Hebbar.
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: FORWARDING and NAT chains

[Antony Stone]

On Friday 30 January 2004 5:50 am, Ray Leach wrote:

> On Thu, 2004-01-29 at 16:02, Srinivasa Hebbar wrote:
> > Hello,
> >
> > I believe that the NAT PREROUTING and POSTROUTING will
> > always takes place for all the incoming/outgoing packets
> > irrespective of whether the packet is destined to the node or not.
> >
> > I have a situvation that if the dest. IP address of the packet is
> > for the local node, then apply NAT rule, otherwise it should simply
> > forward the packet according to the routing table.
> >
> > How can I achive the above?
>
> Use the INPUT chain of the nat table.

What does this mean?   nat can be done in PREROUTING or POSTROUTING (as 
Srinivasa correctly said).   You cannot do nat in INPUT.

Antony.

-- 
Anything that improbable is effectively impossible.

 - Murray Gell-Mann, Novel Prizewinner in Physics

                                                     Please reply to the list;
                                                           please don't CC me.

Re: FORWARDING and NAT chains

[Antony Stone]

On Thursday 29 January 2004 2:02 pm, Srinivasa Hebbar wrote:

> Hello,
>
> I believe that the NAT PREROUTING and POSTROUTING will
> always takes place for all the incoming/outgoing packets
> irrespective of whether the packet is destined to the node or not.
>
> I have a situvation that if the dest. IP address of the packet is
> for the local node, then apply NAT rule, otherwise it should simply
> forward the packet according to the routing table.
>
> How can I achive the above?

Place the destination address in the nat rule, eg:

iptables -A PREROUTING -t nat -d ! my.ip.add.ress -j DNAT --to a.b.c.d

This means "destination nat all packets which are not addressed to 
my.ip.add.ress and send them to a.b.c.d".

Regards,

Antony.

-- 
"The joy of X!!??  I've always hated compiling graphical shite.  You have a 10 
line program, and it ends up depending on the entire known universe."

 - Philip Hands

                                                     Please reply to the list;
                                                           please don't CC me.

Re: FORWARDING and NAT chains

[John A. Sullivan III]

On Fri, 2004-01-30 at 05:25, Antony Stone wrote:
> On Thursday 29 January 2004 2:02 pm, Srinivasa Hebbar wrote:
> 
> > Hello,
> >
> > I believe that the NAT PREROUTING and POSTROUTING will
> > always takes place for all the incoming/outgoing packets
> > irrespective of whether the packet is destined to the node or not.
> >
> > I have a situvation that if the dest. IP address of the packet is
> > for the local node, then apply NAT rule, otherwise it should simply
> > forward the packet according to the routing table.
> >
> > How can I achive the above?
> 
> Place the destination address in the nat rule, eg:
> 
> iptables -A PREROUTING -t nat -d ! my.ip.add.ress -j DNAT --to a.b.c.d
> 
> This means "destination nat all packets which are not addressed to 
> my.ip.add.ress and send them to a.b.c.d".
> 
> Regards,
> 
> Antony.
This is true but she went on to state in a later e-mail that she has
many interfaces and needs to exclude two.  That's a knarly problem I've
run into many times with the limitation of only being able to specify a
single address/subnet (or a contiguous range with iprange) in
destination and source.  

I suggested using a RETURN target to bypass processing for the two
excluded interfaces although I was surprised to not find RETURN in my
man page. I hope I wasn't having a premature senior moment when I
recalled the RETURN target! Thanks - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com

Re: FORWARDING and NAT chains

[Antony Stone]

On Friday 30 January 2004 12:23 pm, John A. Sullivan III wrote:

> On Fri, 2004-01-30 at 05:25, Antony Stone wrote:
> >
> > Place the destination address in the nat rule, eg:
> >
> > iptables -A PREROUTING -t nat -d ! my.ip.add.ress -j DNAT --to a.b.c.d
> >
> > This means "destination nat all packets which are not addressed to
> > my.ip.add.ress and send them to a.b.c.d".
>
> This is true but she went on to state in a later e-mail that she has
> many interfaces and needs to exclude two.  That's a knarly problem I've
> run into many times with the limitation of only being able to specify a
> single address/subnet (or a contiguous range with iprange) in
> destination and source.
>
> I suggested using a RETURN target to bypass processing for the two
> excluded interfaces although I was surprised to not find RETURN in my
> man page. I hope I wasn't having a premature senior moment when I
> recalled the RETURN target! Thanks - John

Oh, okay - try using ACCEPT in the nat table to stop packets continuing to 
later rules..

RETURN is only valid for user-defined chains (I think).

Regards,

Antony.

-- 
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

                                                     Please reply to the list;
                                                           please don't CC me.