On Friday 06 December 2002 04:06 am, Blizzards (Giulius) wrote: > I need to filter packet coming from eth1 (external lan) directed to > eth0 (internal lan). > Packet for internal lan must be SNAT to reach external lan. > In this enviroment filter table see packets traversing FORWARD chain > as normal source and destination and i let it pass. > SNAT change source address with nat address indicated (3 ip address > configured on the box as alias of eth1) and then send packets. > When packets return as reply to my natted connection, the chain/chains > involved are: > > only input ? > input and forward ? > only forward? Only FORWARD, as long as SNAT is working properly. If these packets reach INPUT there is a problem. Incoming packets, regardless of source, will end up at one of two destinations - either INPUT or FORWARD->POSTROUTING->out an interface. (assuming no rule stops them along the way, like a match to a rule that DROPs or REJECTs them) If they are replies to a packet that was SNATted when it was outbound, then they are automatically unSNATted, with the destination IP changed from the public IP they came in for (the source the request was SNATted to) to the actual IP on the internal network that the request came from, the original source IP of the request. > Someone can explain me this in detail? In more detail, and disregarding mangle table chains (not important to the discussion): Packet comes in eth0 to nat-PREROUTING from internal network with a destination IP outside the internal network, where it is recognized as a packet to be forwarded, rather than input to the firewall box itself. It is sent to the filter-FORWARD chain, and from there (if it is ACCEPTed) goes on the nat-POSTROUTING and is SNATted and sent out the appropriate interface, eth1 in this case. Reply packets come in eth1 ALSO to nat-PREROUTING, where they are automatically un-SNATted (changing the destination IP of the reply packets to the actual destination, IE the source IP of the request packet) and from there they again go to filter-FORWARD then nat-POSTROUTING and out the appropriate interface, which will be eth0 based on the destination IP. INPUT and OUTPUT chains of the filter table should only see packets to/from the firewall box itself, as long as NAT and routing setup are correct. FORWARD chain of the filter table will see forwarded packets in every direction, regardless of source and destination. When the outbound packets reach FORWARD they have 'real' source IP and correct destination IP, since SNAT is done in a later step. Returning packets will also have 'real' destination IP and correct source IP, since the SNAT is undone before they reach FORWARD. If the connection _originates_ from the external network, and the internal network is 'hidden' behind one of the IPs of eth1 (usually the purpose of SNAT), then they can only be validly addressed to one of those IPs, and will normally be routed to INPUT since they are addressed to an IP of the firewall box itself. If you need to overcome this for some reason you will need to DNAT in nat-PREROUTING to catch these incoming packets and change their destination IPs to the appropriate IP on the internal LAN, after which they will go through filter-FORWARD, since the routing decision will now see that they are not destined for the local box. If the connection originates from the external network, addressed directly to the true IP of a machine on the internal network then they will by default go to filter-FORWARD anyway, since the destination IP is recognized as being on the local LAN and not the firewall box. If the external network is the internet this shouldn't be the case, since the local LAN machines should all have IPs in a private range that isn't routable on the internet. However, you phrased your question as "external LAN", so I presume you are set up between two LANs, where it may be possible for the external LAN to originate a packet addressed directly to an IP on the internal LAN, and use the firewall box as a router to reach that IP. > Giulius j
