Re: iptables and nat
On Tue, Aug 12, 2003 at 08:56:36PM +0200, Rudy Gevaert wrote:
> Thanks for replying, but I have some more questions :)
>
> On Tue, Aug 12, 2003 at 03:51:11AM +0300, Shaul Karl wrote:
> > On Mon, Aug 11, 2003 at 11:06:37PM +0200, Rudy Gevaert wrote:
> >
> > > And when does the addresstanslation take place? (I'm using SNAT)
> > > When do I have to put the local address in the rules and when not?
> >
> > The addresstanslation takes place in the PREROUTING chain. You can
> > even use the local address for the rules in that chain.
>
> SNAT is done in the POSTROUTING chain, right?
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> SNAT all -- anywhere anywhere to:157.193.88.23
>
Considering the fw machine, my understanding is that SNAT is done in
the most convenient point for the user:
1. Outgoing packets gets their address changed only in the POSTROUTING
chain, and their true address can be used in the rules for that
chain.
2. Incoming packets gets their address changed as early as the
PREROUTING chain, and their true address can be used in the rules
for that chain.
Your chain should work. However I am not a security expert.
--
Shaul Karl, shaul @ actcom . net . il
Reply to: