[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SNAT out same interface packets come in

On Tue, 2003-05-27 at 17:26, Jean Christophe ANDRÉ wrote:
> Mark Devin écrivait :
> > Customers trying to connect to services on the internet send traffic to
> > the router which forwards it to the firewall box.  The firewall box then
> > needs to NAT these packets and send them back out the same interface to
> > the router.  The router then will send these packets (now with source
> > address of the firewall) out to the internet.
> > 
> > How do you do this?  Is it possible?
> Using routing policy on the router (to route to firewall), and
> using SNAT on the firewall. Yes, it is possible: I use it already.
> > I was thinking having a POSTROUTING rule like:
> > $IPTABLES -t nat -A POSTROUTING -o eth0 -s \
> > ~    -j SNAT --to-source $INET_IPADDR
> This is ok.
> > And then two FORWARD rules like:
> > $IPTABLES -A FORWARD -i eth0 -o eth0 -s -j ACCEPT
> Ok.
> > $IPTABLES -A FORWARD -i eth0 -o eth0 -d -j ACCEPT
> This is right, but you may prefer something like this:
> > Notice that in interface and the out interface are both eth0.  I am
> > confused about this.  Can you even have a rule on the FORWARD chain
> > which goes in and out the same interface?
> Yes. No problem with this. The paquet is coming from one interface to
> the firewall, the routing process apply on it and forward it to the next
> interface by routing policy (the same in this case).
That is beautiful.  Thank you so much for enlightening me.  I was having
trouble getting my head around whether packets could be on the FORWARD
chain but still coming in and going out the same interface.

I hope you don't mind me CC'ing the list with this reply so that others
can read your good explanation too.


Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: