Thanks a ton . On Thu, Feb 25, 2010 at 3:29 PM, Mart Frauenlob <mart.frauenlob@xxxxxxxxx> wrote: > On 25.02.2010 05:01, netfilter-owner@xxxxxxxxxxxxxxx wrote: >>>>>>>>>>>>>> The nat table only sees state NEW packets. >> >> my default policy for FORWARD chain is ACCEPT .i failed to describe my >> question .Sorry for my bad english . >> >> >> >> machine "B" >> ------------------------------------------ >> | | >> | | >> machine "A" ------> eth0 | >> | >> eth1----------------------------------------> internet >> | | >> | | >> ------------------------------------------ >> >> >> >> Suppose i browse "yahoo.com" from machine A. First sync packet is sent >> from machine A to Gateway machine "B" >> Packet state is NEW and masqueraded to eth1 . when a packet comes from >> internet back , state of packet is set as ESTABLISHED . After the >> state is truned to ESTABLISHED , do we really require MASQURADE rule >> for next packets ? >> >> without this MASQUERADE target also , will the connection continue to work ? >> >> Thanks, >> Ratheesh >> >> >> >> >> >> >> >> On Wed, Feb 24, 2010 at 8:27 PM, Mart Frauenlob >> <mart.frauenlob@xxxxxxxxx> wrote: >>> On 24.02.2010 15:45, netfilter-owner@xxxxxxxxxxxxxxx wrote: >>>> All , >>>> >>>> R1) iptables -t nat -I POSTROUTING -o eth0 -m state --state >>>> ESTABLISHED,RELATED -j ACCEPT >>>> R2) iptables -t nat -A POSTROUTING -o eth0 -j MASQERADE >>>> >>>> >>>> machine "B" >>>> ------------------------------------------ >>>> | | >>>> | | >>>> machine "A" ------> eth0 | >>>> |eth1----------------------------------------> internet >>>> | | >>>> | | >>>> ------------------------------------------ >>>> >>>> I applied rules R2 and i am able to browse internet from machine A . >>>> >>>> 1. Is there any problem if i apply R1 ? >>>> 2. if packet state become ESTABLISHED ( not a new packet ) , do we >>>> need MASQERADE target for remaing packets ??? >>>> >>>> Thanks, >>>> Ratheesh >>> >>> The nat table only sees state NEW packets. >>> A rule with state "ESTABLISHED,RELATED" will never match there. >>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE is good (without >>> the typo). >>> >>> Do filtering (ACCEPT/DROP/REJECT) in the filter table. >>> iptables -A FORWARD -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT >>> >>> same for OUTPUT maybe. >>> >>> Best regards > > Do you read the reply? > Did you understand it? > Does not look so. > Please go and learn netfilter basics. (netfilter.org, > http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html) > > A simple g00gle search will give you ~ 120.000 results about masquerading: > http://www.google.at/search?q=iptables+nat+masquerade&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a > > P.S. why CC me if i explicitly set the reply addr. to netfilter@....??? > > Bye bye > > Mart > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
