* How multiple PCs on private LAN possible if incoming is DNAT'd to *same* server *always*?
@ 2005-02-03 17:25 seberino
2005-02-03 17:35 ` Jason Opperisano
0 siblings, 1 reply; 6+ messages in thread
From: seberino @ 2005-02-03 17:25 UTC (permalink / raw)
To: netfilter
I got an iptables script for a NAT-ing firewall that
forwards packets between Internat and a private LAN.
All incoming packets are destination NAT'd to end up
at a single server on the private LAN.
**I don't understand how ANY packets can ever arrive
at ANY other PC on the private LAN since they
are ALL destination NAT'd to go to same private server IP
address!?!?**
If some arbitrary client on private LAN wants to visit
a web page, somehow his traffic arrives back at himself
without any specific NAT rules to get packets to him!??
I know it has something to do with ESTABLISHED,RELATED
state ACCEPT-ing rules but this has always confused me.
Do you understand the question?
Any help greatly appreciated.
Sincerely,
Chris
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How multiple PCs on private LAN possible if incoming is DNAT'd to *same* server *always*?
2005-02-03 17:25 How multiple PCs on private LAN possible if incoming is DNAT'd to *same* server *always*? seberino
@ 2005-02-03 17:35 ` Jason Opperisano
2005-02-03 22:59 ` seberino
0 siblings, 1 reply; 6+ messages in thread
From: Jason Opperisano @ 2005-02-03 17:35 UTC (permalink / raw)
To: netfilter
On Thu, Feb 03, 2005 at 09:25:00AM -0800, seberino@spawar.navy.mil wrote:
> I got an iptables script for a NAT-ing firewall that
> forwards packets between Internat and a private LAN.
>
> All incoming packets are destination NAT'd to end up
> at a single server on the private LAN.
so you have a rule that says:
iptables -t nat -A PREROUTING -i $EXT_IF \
-j DNAT --to-destination $SINGLE_SERVER_IP
> **I don't understand how ANY packets can ever arrive
> at ANY other PC on the private LAN since they
> are ALL destination NAT'd to go to same private server IP
> address!?!?**
um--any NEW packets arriving inbound on $EXT_IF would have their
destination IP translated to $SINGLE_SERVER_IP, yes.
> If some arbitrary client on private LAN wants to visit
> a web page, somehow his traffic arrives back at himself
> without any specific NAT rules to get packets to him!??
ah--it seems you are confusing DNAT and SNAT. when a machine on the
inside makes an outbound request (that passes all your filter rules) it
is probably hitting some sort of SNAT rule like:
iptables -t nat -A POSTROUTING -o $EXT_IF -j SNAT --to-source $EXT_IP
this will create a conntrack entry that will be able to map the reply
packet back to the correct client by matching:
src_ip,src_port,dst_ip,dst_port
> I know it has something to do with ESTABLISHED,RELATED
> state ACCEPT-ing rules but this has always confused me.
sorta. keep in mind that rules in "-t nat" are only applied to packets
with state NEW--this is probably the piece you're missing.
> Do you understand the question?
maybe.
-j
--
"Please do not offer my god a peanut"
--The Simpsons
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: How multiple PCs on private LAN possible if incoming is DNAT'd to *same* server *always*?
2005-02-03 17:35 ` Jason Opperisano
@ 2005-02-03 22:59 ` seberino
2005-02-03 23:11 ` Jason Opperisano
0 siblings, 1 reply; 6+ messages in thread
From: seberino @ 2005-02-03 22:59 UTC (permalink / raw)
To: Jason Opperisano, netfilter
> iptables -t nat -A PREROUTING -i $EXT_IF \
> -j DNAT --to-destination $SINGLE_SERVER_IP
> sorta. keep in mind that rules in "-t nat" are only applied to packets
> with state NEW--this is probably the piece you're missing.
Jason
I appreciate the care you've put into making strong iptables scripts
and helping people on this list. I understand your explanation
but I don't see how a newbie would have known that the iptables
rule above is to be ONLY applied to NEW state packets.
Doesn't EVERY incoming packet go through PREROUTING?? And hence,
the rule above will be applied to ALL incoming packets right?!?
I don't see any place above where it says '**this only applies
to NEW state packets**'. You must be right but I'm just wondering
how I would have figured that out on my own. :)
Chris
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How multiple PCs on private LAN possible if incoming is DNAT'd to *same* server *always*?
2005-02-03 22:59 ` seberino
@ 2005-02-03 23:11 ` Jason Opperisano
2005-02-04 0:46 ` seberino
0 siblings, 1 reply; 6+ messages in thread
From: Jason Opperisano @ 2005-02-03 23:11 UTC (permalink / raw)
To: netfilter
On Thu, 2005-02-03 at 17:59, seberino@spawar.navy.mil wrote:
> > iptables -t nat -A PREROUTING -i $EXT_IF \
> > -j DNAT --to-destination $SINGLE_SERVER_IP
>
> > sorta. keep in mind that rules in "-t nat" are only applied to packets
> > with state NEW--this is probably the piece you're missing.
>
> Jason
>
> I appreciate the care you've put into making strong iptables scripts
> and helping people on this list. I understand your explanation
> but I don't see how a newbie would have known that the iptables
> rule above is to be ONLY applied to NEW state packets.
sorry if it sounded like i was reprimanding you for not knowing--i
really just meant to let you know. i don't expect that a newbie would
know that--that why i responded to your post.
> Doesn't EVERY incoming packet go through PREROUTING?? And hence,
> the rule above will be applied to ALL incoming packets right?!?
your statement is true for -t mangle PREROUTING, -t nat is not traversed
by every packet, no.
> I don't see any place above where it says '**this only applies
> to NEW state packets**'. You must be right but I'm just wondering
> how I would have figured that out on my own. :)
i probably read it somewhere at some point...maybe in that building
linux firewalls book by that guy...
-j
--
"The only monster here is the gambling monster that has enslaved your
mother! I call him Gamblor, and it's time to snatch your mother from
his neon claws!"
--The Simpsons
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How multiple PCs on private LAN possible if incoming is DNAT'd to *same* server *always*?
2005-02-03 23:11 ` Jason Opperisano
@ 2005-02-04 0:46 ` seberino
2005-02-04 13:41 ` Georgi Alexandrov
0 siblings, 1 reply; 6+ messages in thread
From: seberino @ 2005-02-04 0:46 UTC (permalink / raw)
To: Jason Opperisano; +Cc: netfilter
> > Doesn't EVERY incoming packet go through PREROUTING?? And hence,
> > the rule above will be applied to ALL incoming packets right?!?
>
> your statement is true for -t mangle PREROUTING, -t nat is not traversed
> by every packet, no.
Whoa! I didn't know that there is a PREROUTING for //both//
mangle and nat tables!!!
So mangle PREROUTING for all packets and net PREROUTING only for
NEW state packets. Beautiful!!! Now I get it!!!
Thanks again for the help!
Chris
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: How multiple PCs on private LAN possible if incoming is DNAT'd to *same* server *always*?
2005-02-04 0:46 ` seberino
@ 2005-02-04 13:41 ` Georgi Alexandrov
0 siblings, 0 replies; 6+ messages in thread
From: Georgi Alexandrov @ 2005-02-04 13:41 UTC (permalink / raw)
To: seberino; +Cc: netfilter
seberino@spawar.navy.mil wrote:
>>>Doesn't EVERY incoming packet go through PREROUTING?? And hence,
>>>the rule above will be applied to ALL incoming packets right?!?
>>>
>>>
>>your statement is true for -t mangle PREROUTING, -t nat is not traversed
>>by every packet, no.
>>
>>
>
>Whoa! I didn't know that there is a PREROUTING for //both//
>mangle and nat tables!!!
>
>So mangle PREROUTING for all packets and net PREROUTING only for
>NEW state packets. Beautiful!!! Now I get it!!!
>
>Thanks again for the help!
>
>Chris
>
>
>
>
Take a look at this:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERSINGOFTABLES
Georgi Alexandrov
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-02-04 13:41 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-02-03 17:25 How multiple PCs on private LAN possible if incoming is DNAT'd to *same* server *always*? seberino
2005-02-03 17:35 ` Jason Opperisano
2005-02-03 22:59 ` seberino
2005-02-03 23:11 ` Jason Opperisano
2005-02-04 0:46 ` seberino
2005-02-04 13:41 ` Georgi Alexandrov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox