On Tuesday 22 October 2002 12:51 am, Wilson Fletcher wrote: > Just looking at iptables. Welcome. > Normally a reply to a masq'd packet coming into the network will > have the destination IP of the g/w. Correct (except remove the word 'normally' from the above sentence :-) > So if the NAT for masq is done > in POSTROUTING (after filtering) do I need to except INPUT packets > to ports in the masquerading range (~61000:65535 ????) ? No, because the INPUT chain is: a) only for packets which finally arrive on the local machine b) after the PREROUTING chain, where the reverse NAT will be automatically applied to reply packets, hence changing the Destination Address back to the original client. > The Linux 2.4 Packet Filtering HOWTO appears to suggest that I can > ignore the fact that I'm nat'ing and use forwarding rules for packets > being masq'd and de-masq'd and that I do not need to worry about > INPUT for packets that are going to my masq'd range. This is correct. INPUT is *only* for packets destined for the local machine (the one running netfilter), and this means after any DNAT has taken place. FORWARD is only for packets destined for another machine, and this also means after any DNAT (automatic or specified in your rules) has taken place. Remember also that if you specify a SNAT rule in your POSTROUTING chain, then netfilter will automagically apply the appropriate DNAT rule to the replies in your PREROUTING chain - you do not need to specify a rule to do this. Antony. -- You can spend the whole of your life trying to be popular, but at the end of the day the size of the crowd at your funeral will be largely dictated by the weather. - Frank Skinner
