Re: iptables and nat
On Mon, Aug 11, 2003 at 11:06:37PM +0200, Rudy Gevaert wrote:
> Hi,
>
> I'm fiddling arround with iptables and I have some problems
> understading how the tables and chains work with SNAT.
>
The docs under /usr/share/doc/iptables/html about your questions are
not clear enough for my taste. Still, they are basic and one should
probably look at it.
>
> When a packet comes from the Internet with destination one of the
> computers on the local lan, which route does it take?
My understanding is that it goes through PREROUTING, FORWARD and then
POSTROUTING.
>
> Is it put straight away through the FORWARD chain or does it go
> through the INPUT chain first?
>
It is put through the FORWARD chain immediately after it has pass the
PREROUTING chain. In particular, it never goes through the INPUT chain.
> And when does the addresstanslation take place? (I'm using SNAT)
> When do I have to put the local address in the rules and when not?
>
The addresstanslation takes place in the PREROUTING chain. You can
even use the local address for the rules in that chain.
> And the other way arround (local lan -> internet)?
>
The POSTROUTING chain. Only packets that are generated by the firewall
machine will go through that machine OUTPUT chain.
> Am I correct when a packet from the local lan wants to go to the
> gateway it goes straight through to the INPUT chain, gets processed
> and goes to the OUTPUT?
>
You are wrong. The path for the firewall (== gateway ?) machine is
PREROUTING -> FORWARD -> POSTROUTING.
> And am I correct if I say that when I packet from the internet wants
> to go to the static ip (e.g. apache running on the firewall) it is:
> INPUT; process; OUPUT?
>
Yes, this is correct.
--
Shaul Karl, shaul @ actcom . net . il
Reply to: