On Monday 29 March 2004 11:56 pm, Cody Harris wrote:
> On Mon, 29 Mar 2004 22:42:16 +0100, Antony Stone wrote:
>
> > You need a PREROUTING nat rule if you want the firewall to change the
> > destination address where the packets are going to.
>
> Oh, i get it. But if i didn't re-route the packet it would just go to this
> computer like it was? So i needed to preroute the packets to the correct
> box, right?
>
> > You need a FORWARD filter rule to allow the packets through the firewall
> > (whether it's changed the destination address or not).
>
> So the forward rule filters the packets that are forwarded. It's not the
> part that makes the routing decision, like pre and postrouting are?
I think you've got it now.
The only thing I would comment on what you said above is the phrase "routing
decision":
Netfilter does not make routing desicions - the Linux kernel does that, even
when you're not running netfilter. Netfilter simply adds the ability to
drop some packets *instead* of routing them on (in the filter tables), or to
change where they're addressed to (in the nat table), although note in the
latter case it's still the kernel routing mechanism which decides how they
get to their (new) destination.
I sometimes tell people "a firewall is a router which can say No".
Regards,
Antony.
--
How I want a drink, alcoholic of course, after the heavy chapters involving
quantum mechanics.
- 3.14159265358979
Please reply to the list;
please don't CC me.
