RE: UnNATing return packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

In the prerouting stage I assume because that is the place where DNAT takes place.
Also take note they say "PREROUTING" for a good reason though I haven't tested it with iproute2 and source routing but I assume they are in the same level. Just remember that POSTROUTING is after the routing table.. as it says in it's name (he he, gotta love those netfilter developers)..

Add some LOG rules matching both sets of IPs your testing.

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@xxxxxxxxxxxxxxxxxxxxxx

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

-----Original Message-----
From: Tim Saunders [mailto:Tim.Saunders@xxxxxxxxxxxxxx]
Sent: Friday, May 23, 2003 12:51 AM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: UnNATing return packets


When a TCP connection goes through a netfilter firewall and is SNATed
and DNATed when do the return packets get unNATed? i.e. a packet comes
into the firewall from a client requesting a tcp session, it is SNATed
and DNATed and sent to the server, the server sends and ack response,
this gets to the firewall. When do the original source and destination
addresses (from the session request packet) get put back? Is it before
or after routing?

I am trying to do source routing of return packets based on the address
the client originally thought it was targeting. Packets come in destined
for 80.5.94.150 and get DNATed to 10.136.1.7 they also get SNATed to
10.136.1.254. I have a rule to route packets from 80.5.94.150 via a
different routing table with a default route that goes out of a
differen't line to normal but the packets still get routed out of the
normal line. It is possible my source routing is at fault. I am using
the following commands:

I have added "15  sr1" to /etc/iproute2/rt_tables.

# ip rule add from 80.5.94.150 table sr1
# ip route add default via 80.5.94.129 dev eth3 table sr1
# ip route flush cache

One more thing that may be important eth3 has an IP in 80.5.94.128/25
and an IP in 10.234.1.0/24 that goes to a router for the other line.

Any help greatly appreciated.
Tim Saunders
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux