Re: MASQUERADE and ACCEPT targets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>>>>>>>>>>>> The nat table only sees state NEW packets.

my default policy for FORWARD chain is ACCEPT .i failed to describe my
question .Sorry for my bad english .



                                       machine "B"
                                    ------------------------------------------
                                    |                                        |
                                    |                                        |
machine "A"   ------> eth0 |
                                    |
      eth1----------------------------------------> internet
                                    |                                        |
                                    |                                        |
                                    ------------------------------------------



Suppose i browse "yahoo.com" from machine A. First sync packet is sent
from machine A to Gateway machine "B"
Packet state is NEW and masqueraded to eth1 . when a packet comes from
internet back , state of packet is set as ESTABLISHED . After the
state is truned to ESTABLISHED , do we really require MASQURADE rule
for next packets ?

without this MASQUERADE target also , will the connection continue to work ?

Thanks,
Ratheesh







On Wed, Feb 24, 2010 at 8:27 PM, Mart Frauenlob
<mart.frauenlob@xxxxxxxxx> wrote:
> On 24.02.2010 15:45, netfilter-owner@xxxxxxxxxxxxxxx wrote:
>> All ,
>>
>>      R1)   iptables -t nat -I POSTROUTING -o eth0 -m state --state
>> ESTABLISHED,RELATED -j ACCEPT
>>      R2)   iptables -t nat -A POSTROUTING   -o eth0 -j MASQERADE
>>
>>
>>                                         machine "B"
>>                                      ------------------------------------------
>>                                      |                                        |
>>                                      |                                        |
>> machine "A"   ------> eth0 |
>> |eth1----------------------------------------> internet
>>                                      |                                        |
>>                                      |                                        |
>>                                      ------------------------------------------
>>
>>  I applied rules R2 and i am able to browse internet from machine A .
>>
>>  1. Is there any problem if i apply R1 ?
>>  2. if packet state become ESTABLISHED ( not a new packet ) , do we
>> need MASQERADE target for remaing packets ???
>>
>> Thanks,
>> Ratheesh
>
> The nat table only sees state NEW packets.
> A rule with state "ESTABLISHED,RELATED" will never match there.
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE is good (without
> the typo).
>
> Do filtering (ACCEPT/DROP/REJECT) in the filter table.
> iptables -A FORWARD -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> same for OUTPUT maybe.
>
> Best regards
>
> Mart
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux