On Mon, 2003-09-15 at 14:53, Wim Ceulemans wrote: > Ray > > Do you mean that if I masquerade all my packets behind the firewall, > that they are > considered as locally generated because due to the masquerading their > source IP is changed? > > This would mean that these packets would travel through the FORWARD > chain and then through > the OUTPUT chain. And then the 'Kernel packet travelling diagram' would > be completely wrong, > because packets come only in the OUTPUT chain if they originate from a > local process. No, it was a question ... I don't think they are locally generated. I think that the aliases on the interface have something to do with it. I have had to add input and output rules in some situations to get DNAT to work the way it is supposed to (redirect to a different destination). It is strange. > > Regards > Wim > > Ray Leach wrote: > > >On Mon, 2003-09-15 at 12:44, Wim Ceulemans wrote: > > > > > >>Hi Ray > >> > >>In my opinion 'locally generated packets' can only be generated by a > >>local process. > >>So in the diagram where it says 'local process', that's where the > >>'locally generated packets' start > >>their way through the kernel. Where's the difference? > >> > >> > >> > >What about packets that get SNATed? > >Where are they generated? > > > > > > > >>Regards > >>Wim > >> > >>Ray Leach wrote: > >> > >> > >> > >>>On Mon, 2003-09-15 at 10:49, Wim Ceulemans wrote: > >>> > >>> > >>> > >>> > >>>>Hi > >>>> > >>>>In paragraph 6.2 of the iptables-tutorial the following is said: > >>>>"The OUTPUT chain is used for altering locally generated packets (i.e., > >>>>on the firewall) before they get to the routing decision. > >>>> > >>>>But in paragraph 3.1, the "Traversing of tables and chains" diagram, we > >>>>see the "Routing decision" is listed after the "Local process" and > >>>>BEFORE! the packet goes to the output chain. > >>>> > >>>>So which one is right? Does the routing decision take place after or > >>>>before the packet travels through the output chain? > >>>> > >>>> > >>>> > >>>> > >>>Are you not getting confused with 'locally generated' and 'local > >>>process'. They are not the same thing. > >>> > >>> > >>> > >>> > >>> > >>>>Regards > >>>> > >>>> > >>>> > >>>> -- -- Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
Attachment:
signature.asc
Description: This is a digitally signed message part
