On Tue, 2003-05-27 at 17:26, Jean Christophe ANDRÉ wrote: > Mark Devin écrivait : > > Customers trying to connect to services on the internet send traffic to > > the router which forwards it to the firewall box. The firewall box then > > needs to NAT these packets and send them back out the same interface to > > the router. The router then will send these packets (now with source > > address of the firewall) out to the internet. > > > > How do you do this? Is it possible? > > Using routing policy on the router (to route to firewall), and > using SNAT on the firewall. Yes, it is possible: I use it already. > > > I was thinking having a POSTROUTING rule like: > > $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.17.0/24 \ > > ~ -j SNAT --to-source $INET_IPADDR > > This is ok. > > > And then two FORWARD rules like: > > $IPTABLES -A FORWARD -i eth0 -o eth0 -s 192.168.17.0/24 -j ACCEPT > > Ok. > > > $IPTABLES -A FORWARD -i eth0 -o eth0 -d 192.168.17.0/24 -j ACCEPT > > This is right, but you may prefer something like this: > > $IPTABLES -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > Notice that in interface and the out interface are both eth0. I am > > confused about this. Can you even have a rule on the FORWARD chain > > which goes in and out the same interface? > > Yes. No problem with this. The paquet is coming from one interface to > the firewall, the routing process apply on it and forward it to the next > interface by routing policy (the same in this case). > That is beautiful. Thank you so much for enlightening me. I was having trouble getting my head around whether packets could be on the FORWARD chain but still coming in and going out the same interface. I hope you don't mind me CC'ing the list with this reply so that others can read your good explanation too. Regards. Mark.
Attachment:
signature.asc
Description: This is a digitally signed message part