Re: SNAT vs Forwarding

To: Cory Petkovsek <coryp@petersen-arne.com>
Subject: Re: SNAT vs Forwarding
From: Michael Wood <wood@kingsley.co.za>
Date: Tue, 13 Mar 2001 08:55:15 +0200
Message-id: <20010313085515.C29673@lion.kingsley.co.za>
In-reply-to: <20010312103833.B21673@cory-l.uoregon.edu>; from coryp@petersen-arne.com on Mon, Mar 12, 2001 at 10:38:34AM -0800
References: <20010309171217.A18517@cory-l.petersen-arne.com> <20010312100559.E13244@lion.kingsley.co.za> <20010312103833.B21673@cory-l.uoregon.edu>

Hi Cory

On Mon, Mar 12, 2001 at 10:38:34AM -0800, Cory Petkovsek wrote:
> Hi Michael, thanks.
> 
> I understand how subnetting works, but perhaps not other
> things (apparently).  I did this:
> privateIP = "10.0.0.0/24"
> So I could match, anything that starts with a 10.

No.  That would only match 10.0.0.anything, not 10.anything.
(i.e. it would NOT match 10.1.2.3 or 10.0.5.6 etc.)  See below
for details.

> I believe (please check me if I'm wrong) that ip packets do
> not carry a subnet with them, just ip addresses.  Meaning

That is correct.  This isn't really about subnets, though.

> !$privateIP should match 10.0.0.5 and 10.1.0.5, regardless of
> the subnets the machines are configured with.

Nope :)  You're right that it doesn't depend on the subnets the
machines are configured with, but that doesn't make 10.0.0.0/24
match 10.anything :)

> [snip]
> > >     # Private net 1: SNAT to outside
> > >     iptables -t nat -A POSTROUTING -s $intnet1 -d ! $privateIP -j SNAT \
> > >         --to-source $extip
> > >
> > >     # Private net 2: SNAT to outside
> > >     iptables -t nat -A POSTROUTING -s $intnet2 -d ! $privateIP -j SNAT \
> > >         --to-source $extip
> > > I thought the above rules explicitly stated:  "Anything coming
> > > from 10.0.x (intnet1) going to anywhere but 10.x SNAT to
> > 
> > No, it's going to anywhere but 10.0.0.x.
> 
> A packet without subnet information should match those rules, right?
> -s 10.0.0.0/8 or -s 10.0.0.0/16 or -s 10.0.0.0/24
> should all match a packet with a source of 10.0.0.5,
> regardless of subnet mask.  Or am I way off base?

10.0.0.0/8 will match 10.0.0.5, or 10.1.0.5 (or 10.255.255.5
etc.)

10.0.0.0/16 will match 10.0.0.5, but NOT 10.1.0.5.  It WILL
match 10.0.255.5, though.)

10.0.0.0/24 will match 10.0.0.5, but NOT 10.1.0.5 or even
10.0.255.5.  It will ONLY match 10.0.0.x, where x is in the
range 0 - 255.

10.0.0.0 in binary is:
00001010.00000000.00000000.00000000

/24 means the first three octets are significant in the packet
you're trying to match.

10.0.0.5 in binary is:
00001010.00000000.00000000.00000101

The first 24 bits of that are:
00001010.00000000.00000000

The first 24 bits of 10.0.0.0 are the same, therefore the packet
matches.

Now, lets check 10.1.0.5.  In binary, this is:
00001010.00000001.00000000.00000101

The first 24 bits of this (because of the /24 again) are:
00001010.00000001.00000000

This is NOT the same as the first 24 bits of 10.0.0.0.
Therefore the packet does NOT match.

Now, lets try a rule with 10.0.0.0/8 instead of /24.
IP       -> binary                              -> first 8
10.0.0.0 -> 00001010.00000000.00000000.00000000 -> 00001010
10.0.0.5 -> 00001010.00000000.00000000.00000101 -> 00001010
10.1.0.5 -> 00001010.00000001.00000000.00000101 -> 00001010

These are all the same, therefore both packets match the rule.

Does it make sense now?

i.e. you should change your privateIP = "10.0.0.0/24" to
"10.0.0.0/8"

Hope that helps.

-- 
Michael Wood        | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies

Reply to:

References:
- SNAT vs Forwarding
  - From: Cory Petkovsek <coryp@petersen-arne.com>
- Re: SNAT vs Forwarding
  - From: Michael Wood <wood@kingsley.co.za>
- Re: SNAT vs Forwarding
  - From: Cory Petkovsek <coryp@petersen-arne.com>

Prev by Date: Masquerading IPSec?
Next by Date: /usr/sbin/iptables -> /sbin/iptables today
Previous by thread: Re: SNAT vs Forwarding
Next by thread: Proxy transparente
Index(es):
- Date
- Thread