Re[2]: OUTPUT chain DNAT problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi.

I think the problem is in the concept of DNAT'ting itself. As the
manual page says close to "only locally originated packets pass through OUTPUT
chain in nat table". That's why ping worked - icmp packets originated
from the box itself. As it comes to my problem - the application
replies to the orinigated connection - there's no SYN, correct me if
i'm wrong, please. So these packets pass through PREROUTING and
POSTROUTING chains. It'd be great if i was possible to SNAT in
PREROUTING to trick the application that the connection originated
from 192.168.0.2, not 10.0.0.2 or DNAT it in POSTROUTING chain. But
it's vice versa in iptables and not handy :(
I don't understand the reasons why iptables cannot SNAT in PREROUTING
or DNAT in POSTROUTING.

thanks
Fox

GV> There was a problem in the old days where NAT for OUTPUT was broken. Not sure if this is the same case still or not, if so then you'll need to use the -p-o-m patch to fix the problem and it'll
GV> work.

GV> Thanks,
GV> ____________________________________________
GV> George Vieira
GV> Systems Manager
GV> georgev@xxxxxxxxxxxxxxxxxxxxxx

GV> Citadel Computer Systems Pty Ltd
GV> http://www.citadelcomputer.com.au

GV> Phone   : +61 2 9955 2644
GV> HelpDesk: +61 2 9955 2698
 

GV> -----Original Message-----
GV> From: Fox [mailto:admin@xxxxxxxxxxx]
GV> Sent: Wednesday, July 02, 2003 8:57 PM
GV> To: netfilter@xxxxxxxxxxxxxxxxxxx
GV> Subject: OUTPUT chain DNAT problem


GV> Hi.

GV> I'm having problems with rewriting outgoing packets.
GV> I've specified the following rule:
GV> iptables -t nat -A OUTPUT -d 10.0.0.2 -j DNAT --to-destination
GV> 192.168.0.2

GV> When I ping 10.0.0.2 i get them rewritten (i check it with tcpdump and
GV> get stats with `iptables -t nat -L -v -n`). But when an application
GV> sends a packet to 10.0.0.2 it's not rewritten. I can't understand why.

GV> I need to to the following thing:

GV> A              B                C
10.0.0.2  --->> 192.168.0.1 ---> 192.168.0.2

GV> A send requests to B and B replies to A. But i want those replies go
GV> to C and only C.

GV> Your help is appreciated.
GV> thanks.
GV> fox






-- 
Best regards,
 Muzaffar                            mailto:admin@xxxxxxxxxxx
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux