Re: SNAT vs Forwarding

To: debian-firewall@lists.debian.org
Subject: Re: SNAT vs Forwarding
From: Michael Wood <wood@kingsley.co.za>
Date: Mon, 12 Mar 2001 10:05:59 +0200
Message-id: <20010312100559.E13244@lion.kingsley.co.za>
In-reply-to: <20010309171217.A18517@cory-l.petersen-arne.com>; from coryp@petersen-arne.com on Fri, Mar 09, 2001 at 05:12:17PM -0800
References: <20010309171217.A18517@cory-l.petersen-arne.com>

Hi

On Fri, Mar 09, 2001 at 05:12:17PM -0800, Cory Petkovsek wrote:
[snip]
>     privateIP = "10.0.0.0/24"

Try changing this to 10.0.0.0/8

10.0.0.0/24 means 10.0.0.0-10.0.0.255
10.0.0.0/8 means 10.x.y.z where x, y and z can be anything in
the range 0-255.
10.0.0.0/16 means 10.0.x.y.

More generally, the number after the / means that many bits are
relevant.  If you translate the IP address into binary, start
counting from the left bit up to the number of bits specified by
the netmask and everything you've covered must stay the same
while everything after that can change.

e.g.  If your network is 192.168.98.0/23 then:
binary representations is:

11000000.10101000.01100010.00000000

Counting 23 bits from the left gives us:
11000000.10101000.0110001x.xxxxxxxx

i.e. each "x" can be either a 0 or a 1.  This means that the
first two octets are fixed at 192.168.  The third one can be
either 98 or 99 and the third one can be anything.

i.e. 192.168.98.0/23 means 192.168.98.0-192.168.99.255

Make sense? :)

>     # Private net 1: SNAT to outside
>     iptables -t nat -A POSTROUTING -s $intnet1 -d ! $privateIP -j SNAT \
>         --to-source $extip
> 
>     # Private net 2: SNAT to outside
>     iptables -t nat -A POSTROUTING -s $intnet2 -d ! $privateIP -j SNAT \
>         --to-source $extip
> 
> This is all I'm doing for SNAT.  I'm using DNAT to forward
> some ports, and that's it for the nat table. Then I have a
> whole host of rules in my filter table. I don't have mangle
> table support in the kernel.
> 
> For testing I had this in my filter table:
>      iptables -A FORWARD -j ACCEPT  (or policy=accept)
> 
> Connecting to the internet from either private lan works fine,
> as well as connecting to forwarded ports from the internet to
> either private lan.
> 
> The problem lies when I connect from private lan to private
> lan.  It works, however the source IP address is converted to
> my $extip, as seen from the server I'm connecting to, instead
> of a private ip.  
> 
> I thought the above rules explicitly stated:  "Anything coming
> from 10.0.x (intnet1) going to anywhere but 10.x SNAT to

No, it's going to anywhere but 10.0.0.x.

> $extip." and "Anything coming from 10.1.x(intnet2) going to
> anywhere but 10.x SNAT to $extip."  Thus the implication would
> be, "Anything else, don't nat it."  Which it should then be
> forwarded AS IS based upon the filter table.
> 
> Is this reasoning incorrect?
[snip]

All your packet counters etc. on your firewalling rules make
sense based on your 10.0.0.0/24 thing above.

Hope that helps.

-- 
Michael Wood        | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies

Reply to:

Follow-Ups:
- Re: SNAT vs Forwarding
  - From: Cory Petkovsek <coryp@petersen-arne.com>

References:
- SNAT vs Forwarding
  - From: Cory Petkovsek <coryp@petersen-arne.com>

Prev by Date: Re: box does weird stuff
Next by Date: Re: [Fwd: rpc.statd hacking but firewalled]
Previous by thread: SNAT vs Forwarding
Next by thread: Re: SNAT vs Forwarding
Index(es):
- Date
- Thread