Re: How does a NAT-packet traverse?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Friday 14 March 2003 02:02 am, Bobo wrote:
>  Hello:
>
>         Now,I  am studying how to setup Iptable rules,and I meet a
> question.
>
>         I would like to know how netfilter  do with a packet which is
> the response of
>
>         a NAT-packet from the inside network?
>
>         Where does netfilter do with these packets and give them
> original IP address?

I assume you mean that a client behind an NATting gateway has sent out a 
packet (perhaps an HTTP request) which has been SNATted in POSTROUTING 
so that it uses the gateway's public IP instead of the client's private 
IP - and you are asking about the return traffic.

They come to the NATting box from the destination of the original packet, 
and hit PREROUTING.  They are recognized as being replies to outbound 
traffic that was SNATted, so while in nat PREROUTING (or just after, I'm 
not certain) the SNAT that was performed on the request is reversed on 
the reply, so that the destination IP is changed from the gateway's 
public IP to the client's private IP.  

After PREROUTING a routing decision is made, which recognizes these 
packets as destined for a client machine on the local network, NOT the 
gateway itself.  (the unSNAT has already taken place, the DestIP is now 
the original client)  At this point the packet goes to the FORWARD 
chain, and so long as it is ACCEPTed there, it goes to POSTROUTING and 
then out the local interface to the original client machine.

>        Will these packets pass through INPUT chains and go out from
> OUT chains?and  they are

Nope.  INPUT is for packets destined for the gateway machine itself in 
this scenario.  While the return packets have that machine's public IP 
as their destination when they come in, this is changed to the IP of the 
original client before routing decision, so they go to FORWARD instead 
of INPUT.  OUTPUT would be for traffic originating on the gateway 
itself.

>        changed at the local process ?

All these changes are handled by netfilter in the kernel, before anything 
in userspace ever sees the packet.  A local process normally cannot see 
a packet unless the routing decision determines that it is destined for 
the local box (the one running the firewall rules) and sends it to the 
INPUT chain, which would have to ACCEPT it.  THEN it would be possible 
for a local userspace process to see the packet.

j
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux