ratheesh k a écrit : > > I have a linux machine'( say B ) with two interfaces ( eth0 > -192.168.1.1 and eth1 - 192.168.55.1 ) .This linux machine works as a > gateway machine . eth0 is connected to LAN network and eth1 is > connected to WAN network . below rules are applied on the gateway > machine ., > > iptables -A INPUT -i eth0 -j ACCEPT > iptables -A INPUT -i eth1 -j DROP > > iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT > iptables -A FORWARD -i eth1 -o eth0 -j DROP Hmm, not sure that dropping everything received on eth1 is a good idea. > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE . > > > LAN ---> eth0 : Gateway linux machine :eth1 ---> WAN > > We have machine called A , connected to LAN network and is assigned an > ip 192.168.1.100 and its gateway is machine B's eth0 interface ( > 192.168.1.1 ) . > if i access "google.com " from machine A , syn packet with dest ip as > a.b.c.d ( google.com ip ) and dest port 80 will go to machine B > (default gateway ) . Since we are masquerading all the packets , it > will change source ip with 192.168.55.1 and source port with some > random port ( say portx ) . MASQUERADE won't change the source port unless specified otherwise by --random or --to-ports options, or if it is necessary in order to avoid a "collision" with an existing connection (e.g. two clients connecting to the same server with the same source port). See iptables man page. > Packets from server will be having > 192.18.55.1 ip and port as portx . This will be changed to original ip > and port by conntrack module . Actually the conntrack module will only associate the packet to the existing connection, and the nat module will change the addresses and ports. > My qustion is : if i create a packet with source ip as 192.168.55.1 > and dest port as portx , can i get into the machine B from WAN side . Do you mean machine A (the client) ? If a crafted packet matches all the characteristics of the conntrack entry for that connection (including reply source port 80, TCP sequence number), then it will be considered belonging to the reply direction of that connection and the NAT will process it accordingly. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
