Re: NAT overlaps with ports

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Kapetanakis Giannis a écrit :
> 
> 192.168.1.0/24 is my public  IP range (eth0)

This IP range is private, not public.
If you made it up, please use the 192.0.2.0/24 range reserved for
examples and documentation instead.

> 10.0.0.0/24 is my private IP range (eth1)
> 192.168.1.1 public IP of server
> 10.0.0.1 private IP of server
> 
> I'd like to add the following rules in the nat table:
> 
> [1] -A PREROUTING -i eth0 -d 192.168.1.1 -p tcp --dport 8080 -j DNAT 
> --to-destination 10.0.0.1:8080
> [2] -A POSTROUTING -o eth0 -s 10.0.0.1 -p tcp --sport 8080 -j SNAT 
> --to-source 192.168.1.1:8080
> [3] -A POSTROUTING -o eth0 -s 10.0.0.0/24 --to-source 
> 192.168.1.1-192.168.1.10

Rule [2] is pointless. Packets with source port 8080 are obviously
replies, and Netfilter NAT implicitly takes care of reply packets
packets. Actually, the 'nat' chains don't even see reply packets.

> According to http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html
> iptables is clever enough to avoid overlaps and clashes.
> Are we sure that there isn't any chance to map a random packet (not from 
> the server)
> to 192.168.1.1:8080 in rule [3]?

No. That could happen as long as it does not create a collision with an
existing mapping. Why do you worry about it ?
The important point is that netfilter avoids collisions between existing
NAT mappings. Rules do not create mappings by themselves, a mapping is
created only for each new connection created by a packet.

> I mean, does rule [2] reserve port 8080 of 192.168.1.1 ?

No. NAT rules do not reserve anything.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux