imolton at clara.net
Sun Oct 7 13:27:06 PDT 2001
On stardate Sun, 7 Oct 2001 22:15:50 +0200
Daniel began the full scale invasion of earth with the following words:
> a great many questions :)
> Ian Molton <imolton at clara.net> wrote:
> > Ok. what happens to packets that get natted?
> There are three tables: filter, nat, mangle.
> There are multiple built-in chains in each table.
> filter: INPUT, OUTPUT, FORWARD
> nat: PREROUTING, POSTROUTING, OUTPUT
> mangle: PREROUTING, OUTPUT
> this is a more accurate diagram:
> mangle | filter ^ nat
> nat | |
> | |
> v |
> IN filter OUT mangle
> | ^ nat
> | | filter
> v |
> You want to use the mangle table for packet mangling, the nat
> table for masquerading, DNAT/SNAT, and the filter table for
> allowing/dropping stuff.
Ok, So one last question...
how do packets enter the tables? When a packet comes in, is it presented to
the mangle tables prerouting chain, and then, failing a match, to the nat
tables prerouting chain?
if so, then I think things are beginning to fall into place.
also, doesnt the nat table have a MASQUERADE chain? where does this figure
in the above diagram?
> if you specify no table, then "-t filter" is assumed. The above
> flushes the filter table only.
Ooh. nasty little gotcha.
> >> > $IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j
> >> > echo "1" > /proc/sys/net/ipv4/ip_forward
> > The above seems to work, but why can I not do non-passive FTP
> > from behind the firewall?
> hmm may have several reasons. either you don't let RELATED
> connections in, or you haven't got the FTP connection tracking
> module loaded of compiled into the kernel.
> You should read up on source routing. Source routing is an IP
> option. It allows to "route" an IP packet through a list of
> gateway addresses.
> The above list of reserved address ranges has nothing to do with
> source routing. It is just the list of all those addresses which
> are not routed through the Internet. Which means that anything
> coming from them is bogus.
Right. Im with you on that now.
> >> echo "2" > /proc/sys/net/ipv4/conf/eth0/rp_filter
> > would this foul things up for people with two (or more) uplinks?
> Exactly, but only with weird setups where packets come in from one
> and leave through the other uplink. And there are some issues with
> advanced routing if you activate it (iproute2).
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message
More information about the blfs-support