On 19 Apr 2003, Joel Newkirk wrote: > On Sat, 2003-04-19 at 07:54, Robert P. J. Day wrote: > > in a book i'm reading discussing (among other things), > > setting up DNAT, there is a sample rule: > > > > # iptables -t nat -A PREROUTING -i eth0 -o eth1 > > -d <internal server IP address> > > -j DNAT --to-destination 192.168.0.1 > > > > the question: how can the explicit specification of the > > "-o" interface affect this? > > > > after all, it's quite possible that the interface that > > would normally be chosen to forward to the internal > > server would not be the one listed with "-o". (perhaps > > the admin made a mistake.) > > > > if there is an obvious conflict here, what happens? > > does this DNAT just go unsatisfied? > > > Everything before "-j" is matching, the "-j" tells it what you want done > if the packet matches. So the "-o" is simply testing which interface > the packet is targetted to go out. > > The problem here is that the "-o" match isn't valid in PREROUTING, since > (as the name implies) it takes place before the routing decision, so the > destination (obviously since this is where we can DNAT) and therefore > the outbound interface are still unknown. > > So there IS a conflict here, between "-o" and PREROUTING in a sense, and > the result will be that the rule won't even be created. If you try to > enter this rule manually you will be informed "Can't use -o with > PREROUTING". yup, that makes sense. it's getting tiring perusing books that sell themselves as howto-iptables-firewall books that have these kinds of errors. argh. rday
