On Thu, Feb 03, 2005 at 09:25:00AM -0800, seberino@xxxxxxxxxxxxxxx wrote:
> I got an iptables script for a NAT-ing firewall that
> forwards packets between Internat and a private LAN.
>
> All incoming packets are destination NAT'd to end up
> at a single server on the private LAN.
so you have a rule that says:
iptables -t nat -A PREROUTING -i $EXT_IF \
-j DNAT --to-destination $SINGLE_SERVER_IP
> **I don't understand how ANY packets can ever arrive
> at ANY other PC on the private LAN since they
> are ALL destination NAT'd to go to same private server IP
> address!?!?**
um--any NEW packets arriving inbound on $EXT_IF would have their
destination IP translated to $SINGLE_SERVER_IP, yes.
> If some arbitrary client on private LAN wants to visit
> a web page, somehow his traffic arrives back at himself
> without any specific NAT rules to get packets to him!??
ah--it seems you are confusing DNAT and SNAT. when a machine on the
inside makes an outbound request (that passes all your filter rules) it
is probably hitting some sort of SNAT rule like:
iptables -t nat -A POSTROUTING -o $EXT_IF -j SNAT --to-source $EXT_IP
this will create a conntrack entry that will be able to map the reply
packet back to the correct client by matching:
src_ip,src_port,dst_ip,dst_port
> I know it has something to do with ESTABLISHED,RELATED
> state ACCEPT-ing rules but this has always confused me.
sorta. keep in mind that rules in "-t nat" are only applied to packets
with state NEW--this is probably the piece you're missing.
> Do you understand the question?
maybe.
-j
--
"Please do not offer my god a peanut"
--The Simpsons
