Re: Iptables a '-t nat' dude

To: debian-firewall@lists.debian.org
Subject: Re: Iptables a '-t nat' dude
From: Michael Wood <wood@kingsley.co.za>
Date: Mon, 18 Jun 2001 13:47:00 +0200
Message-id: <20010618134659.F10097@lion.kingsley.co.za>
Mail-followup-to: Michael Wood <wood@kingsley.co.za>, debian-firewall@lists.debian.org
In-reply-to: <Pine.LNX.4.33.0106181058580.10029-100000@adp.adpsoft.com>; from luismi@adpsoft.com on Mon, Jun 18, 2001 at 10:59:35AM +0200
References: <Pine.LNX.4.33.0106181058580.10029-100000@adp.adpsoft.com>

Hi

On Mon, Jun 18, 2001 at 10:59:35AM +0200, LuisMi wrote:
> Anyone can tell me if this scheme is correct?
> 
> input -> ' -t nat' -> forward -> '-t nat' -> output
> 
> where... '-t nat' is optional
> 
> I ask this because I will put a condition like...
> $IPT -t nat -A PREROUTING -i $interfaz0 -p tcp -d $ip_eth0 --dport 80 -j
> DNAT --to-destination 172.16.1.2:80
> 
> And I don´t know if I must put some rules in input and output
> 
> can anyone explain me that?

With ipchains, a packet going through the machine would go
through input, forward and also output.  With iptables packets
going through the machine will NOT go through the input and
output chains.  Only the forward chains (and
prerouting/postrouting)

See the following URL for details:

http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc-6.html

So you don't need to put anything into the input/output chains
unless you want to control what is sent to/from the firewall
itself, rather than through it.

-- 
Michael Wood        | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies

Reply to:

References:
- Iptables a '-t nat' dude
  - From: LuisMi <luismi@adpsoft.com>

Prev by Date: Prevent acces internet
Next by Date: RE: Prevent acces internet
Previous by thread: Iptables a '-t nat' dude
Next by thread: Prevent acces internet
Index(es):
- Date
- Thread