From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: How multiple PCs on private LAN possible if incoming is DNAT'd to *same* server *always*?
Date: Thu, 3 Feb 2005 12:35:06 -0500 [thread overview]
Message-ID: <20050203173506.GA4619@bender.817west.com> (raw)
In-Reply-To: <20050203172500.GB29677@spawar.navy.mil>
On Thu, Feb 03, 2005 at 09:25:00AM -0800, seberino@spawar.navy.mil wrote:
> I got an iptables script for a NAT-ing firewall that
> forwards packets between Internat and a private LAN.
>
> All incoming packets are destination NAT'd to end up
> at a single server on the private LAN.
so you have a rule that says:
iptables -t nat -A PREROUTING -i $EXT_IF \
-j DNAT --to-destination $SINGLE_SERVER_IP
> **I don't understand how ANY packets can ever arrive
> at ANY other PC on the private LAN since they
> are ALL destination NAT'd to go to same private server IP
> address!?!?**
um--any NEW packets arriving inbound on $EXT_IF would have their
destination IP translated to $SINGLE_SERVER_IP, yes.
> If some arbitrary client on private LAN wants to visit
> a web page, somehow his traffic arrives back at himself
> without any specific NAT rules to get packets to him!??
ah--it seems you are confusing DNAT and SNAT. when a machine on the
inside makes an outbound request (that passes all your filter rules) it
is probably hitting some sort of SNAT rule like:
iptables -t nat -A POSTROUTING -o $EXT_IF -j SNAT --to-source $EXT_IP
this will create a conntrack entry that will be able to map the reply
packet back to the correct client by matching:
src_ip,src_port,dst_ip,dst_port
> I know it has something to do with ESTABLISHED,RELATED
> state ACCEPT-ing rules but this has always confused me.
sorta. keep in mind that rules in "-t nat" are only applied to packets
with state NEW--this is probably the piece you're missing.
> Do you understand the question?
maybe.
-j
--
"Please do not offer my god a peanut"
--The Simpsons
next prev parent reply other threads:[~2005-02-03 17:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-03 17:25 How multiple PCs on private LAN possible if incoming is DNAT'd to *same* server *always*? seberino
2005-02-03 17:35 ` Jason Opperisano [this message]
2005-02-03 22:59 ` seberino
2005-02-03 23:11 ` Jason Opperisano
2005-02-04 0:46 ` seberino
2005-02-04 13:41 ` Georgi Alexandrov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050203173506.GA4619@bender.817west.com \
--to=opie@817west.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox