Hi Daniel, Antony and Dick, You are quite right. I got things wrong and I understand now. Thank you for your explainations. Regards, Jee > Jee J.Z. writes: > > I put the following rules on the PC2: > > > > iptables -F > > iptables -F -t nat > > iptables -I FORWARD -j QUEUE > > iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to global_ip_2 > > iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 192.168.0.2 > > > > echo '1' >/proc/sys/net/ipv4/ip_forward > > > > Since I didn't put in the rules like "iptables -P INPUT DROP" and > > "iptables -P OUTPUT DROP", I expect traffics that addressed to PC2 will not > > be passed on to the FORWARD chain, and therefore they will not be queued to > > userspace. However, it seems not the case. When I ftp or ping from PC1 to > > PC2 (addressed to PC2), all the packets are queued to userspace and if > > accepted from userspace are then DNATed to PC3. Could you explain this to > > me? Or am I missing something obvious? > > You have the order wrong. Of the tables you add rules to, your packet > hits the nat PREROUTING chain first. In that chain your packet to PC2 > gets DNAT'd to 192.168.0.2 and is then no longer a packet to PC2, so > routing sends it to the FORWARD chain. > > A way to help avoid mistakes is to fill tables in the order in which > packets see them: > > iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 192.168.0.2 > (routing happens here) > iptables -I FORWARD -j QUEUE > iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to global_ip_2 > > These rules unconditionally DNAT all packets to 192.168.0.2, so they > all go to the FORWARD chain and your QUEUE. You can avoid having > packets sent to PC2 from reaching your QUEUE simply by selecting > against them in your DNAT rule: > > iptables -t nat -A PREROUTING -i eth0 ! -d global_ip_2 -j DNAT --to 192.168.0.2 > > Then packets to PC2 will remain packets to PC2 and routing will send > them to the INPUT chain rather than the FORWARD chain. > > -- > Dick St.Peters, stpeters@xxxxxxxxxxxxx >
