On 25.02.2010 05:01, netfilter-owner@xxxxxxxxxxxxxxx wrote: >>>>>>>>>>>>> The nat table only sees state NEW packets. > > my default policy for FORWARD chain is ACCEPT .i failed to describe my > question .Sorry for my bad english . > > > > machine "B" > ------------------------------------------ > | | > | | > machine "A" ------> eth0 | > | > eth1----------------------------------------> internet > | | > | | > ------------------------------------------ > > > > Suppose i browse "yahoo.com" from machine A. First sync packet is sent > from machine A to Gateway machine "B" > Packet state is NEW and masqueraded to eth1 . when a packet comes from > internet back , state of packet is set as ESTABLISHED . After the > state is truned to ESTABLISHED , do we really require MASQURADE rule > for next packets ? > > without this MASQUERADE target also , will the connection continue to work ? > > Thanks, > Ratheesh > > > > > > > > On Wed, Feb 24, 2010 at 8:27 PM, Mart Frauenlob > <mart.frauenlob@xxxxxxxxx> wrote: >> On 24.02.2010 15:45, netfilter-owner@xxxxxxxxxxxxxxx wrote: >>> All , >>> >>> R1) iptables -t nat -I POSTROUTING -o eth0 -m state --state >>> ESTABLISHED,RELATED -j ACCEPT >>> R2) iptables -t nat -A POSTROUTING -o eth0 -j MASQERADE >>> >>> >>> machine "B" >>> ------------------------------------------ >>> | | >>> | | >>> machine "A" ------> eth0 | >>> |eth1----------------------------------------> internet >>> | | >>> | | >>> ------------------------------------------ >>> >>> I applied rules R2 and i am able to browse internet from machine A . >>> >>> 1. Is there any problem if i apply R1 ? >>> 2. if packet state become ESTABLISHED ( not a new packet ) , do we >>> need MASQERADE target for remaing packets ??? >>> >>> Thanks, >>> Ratheesh >> >> The nat table only sees state NEW packets. >> A rule with state "ESTABLISHED,RELATED" will never match there. >> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE is good (without >> the typo). >> >> Do filtering (ACCEPT/DROP/REJECT) in the filter table. >> iptables -A FORWARD -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT >> >> same for OUTPUT maybe. >> >> Best regards Do you read the reply? Did you understand it? Does not look so. Please go and learn netfilter basics. (netfilter.org, http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html) A simple g00gle search will give you ~ 120.000 results about masquerading: http://www.google.at/search?q=iptables+nat+masquerade&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a P.S. why CC me if i explicitly set the reply addr. to netfilter@....??? Bye bye Mart -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
