On 06/13/2005 10:26:35 AM, Tib wrote:
> > Caveat to what I just said - if you are doing masquerading behind a
single
> > IP, then you don't need to worry about the FORWARD ruleset. Only packets
> > associated with connections that are being masqueraded will get sent on
> > to internal networks - unless you have specific ports that are
translated
> > to internal services.
>
> Actually that isn't quite correct. With ip_forward on, network bridging
is
> enabled. Running NAT does not disable the bridging function. If a box on
the
> outside port sends a packet addressed to a box on the inside port, using
the
> firewall as its gateway, the packet will get through NAT. NAT runs on top
> of the bridging function, so bridging still works, though only in one
direction
> since in the other direction packets will get NATed.
Actually, it is 100% correct. Masquerading is a broad spectrum SNAT that
will redirect return traffic associated with whatever it sends out back to
the originating internal host. So if some new connection comes in to the
external IP that isn't associated with any outbound connection, it hits
the firewall and falls flat - this is why modules like ip_conntrack_ftp
and ip_nat_ftp are necessary, and why dcc on irc clients tends to get
borked, the list goes on.
Hi Tib,
We *may* be speaking at cross purposes. I agree with what you have said but
I am also correct. The issue is your statement "hits the firewall and falls
flat".
Your original paragraph doesn't make it clear to a beginner that you are
pre-supposing that there is a real firewall in place that will enforce NAT.
My point, that is also 100% correct, is that having a NAT rule alone does not
disable the bridging function.
The reality is that a lot of beginners "assume" that when they have NAT, their
internal addresses are unreachable from the outside and that simply isn't
the case with NAT alone (at least not with iptables under Linux).
That was the point I was making.
As for the rest of your post, you are forgetting the wider purpose of routers/
firewalls. For example, inside a company where you may have the
R&D department on one private address space, finance on another, etc., all
isolated with routers. In this scenario (which I work in) all you need to do
is use the "route" command to tell your machine where to send packets, and
suddenly private IP addresses are routable and *will* make it to the
firewall. Further, you can specifically allow certain machines (like mine)
to get through..... despite NAT in operation for all other packets.
That is, I can ssh etc. into boxes that sit behind NAT. I just wanted to make
the point that NAT alone doesn't prevent this, which wasn't obvious from your
post.
Ian
