Marco Nicoloso wrote:
#Forward delle catene
iptables -A FORWARD -i eth1 -o eth0 -j laninet
iptables -A FORWARD -i eth0 -o eth1 -j inetlan
Above shows eth1 is your LAN interface and eth0 is your WAN interface.
but....
#Setting up NAT
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.7.0/24 -j SNAT --to
xxx.xxx.xxx.xxx
this shows eth1 is your WAN interface, please clarify on this thing.
Pradeep
Yes, thnk you very much Pradeep, I was wrong, I corrected it but...
...anyway still it doesn't work as I want. For now it is acting only
like a NAT, I want to understand how NAT + Packet Filtering work
together, I read the howtos provided by netfilter.org. And
particularly I didn't understand:
1) POSTROUTING chain is processed after the FORWARD chain, isn't it?
But do I really need the FORWARD chain? If yes, do I need to setup my
rules for filtering the packets coming from my LAN which I want to
pass through the firewall (using a DROP policy) in the FORWARD or just
in the INPUT chain, or in both of them?
firewall machine = the machine where you are setting up the iptables rules.
Packet filtering rules should always be in filter table (if there is no
special case).
Filter table doesn't have POSTROUTING chain, that is FORWARD is required.
INPUT chain sees only those packets which are destined for the firewall
machine.
FORWARD chain sees the packets which the firewall machine routes either from
LAN to WAN or from WAN to LAN.
OUTPUT chain sees the packets which the firewall machine generates.
Assuming you how the routing works. (I mean operations related to that).
PREROUTING chain of nat table sees the packets before the routing decision
has been done.
POSTROUTING chain of nat table sees the packets after the routing decision
has been done.
So, ultimately this is all about which packets you want to act upon
and where (in kernel network stack). Further which operation you want to
do. Either filtering or
network address translation (NAT).
2) Which is the right place for the NATting rules in my script? That
is, NAT rules must be placed before or after PF rules (for me after,
but as NAT controls different chains because `nat' is a different
table... maybe it's the same)
I think the above description answers this also.
3) Someone can verify the following sentence if I understood
correctly: "Packet coming from any network connected to the firewall
enters the chain INPUT: rules are processed from the first in order to
the end, if a suiting rule for it is found, then the faith of the
packet depends only on that rule; if not packet is either dropped or
accepted, depending on the general policy of the chain above
mentioned"
Thanks.
Marco Nicoloso
All in all, netfilter framework is all about hooks in the kernel's
network stack.
Regards,
Pradeep
