RE: IPTABLES:Let external address appear as an internal address

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, 2012-09-01 at 01:05 +0200, mabra@xxxxxxxxxxxx wrote:
> I studied the diagrams over and over and over again [Although , there
> are different schemas on the net, the last I've used, was on
> wikipedia].

I assume you mean this one[1]. That is the most accurate, although it
might be a bit too detailed for a beginner.

>  What you said, comes to my mind, but I am not sure,
> because, what is a "local process"

A process running on the same machine that iptables is running on.
Packets to/from the local process will go via the INPUT/OUTPUT chains
instead of FORWARD.

>  is not quit clear in the diagram and
> the diagram has even not the usual LO interface, which is alway present
> too.

The local interface is like a normal physical interface, so can be
treated as such when looking at the packet flow diagram. If you're
accessing a local process through lo, then packets will come in from lo,
travel through INPUT, and be received by the local process. Return
packets generated by the process will be returned via OUTPUT back to the
lo interface.

> Yes, the monit daemon runs on the firewall machine with the iptables.

In which case you cannot use POSTROUTING to alter packets destined to
it.

> Even the internal web cannot be used on the local machine,

There is no technical reason that it cannot.

> This is not working [both, curl and wget 
> say me: connection refused].

In which case either the daemon is refusing the connection or the
packets are being rejected by an iptables rule.

> Seems to be the same
> issue.

Same issue as what?

>  I am working on this for about three day now and I am out of hope.

What exactly are you trying to achieve? I have not used monit, but I
would be surprised if you have to translate addresses and ports to make
it work how you want it to.

P.S. I recommend a better email client than MS Outlook if you want to
partake in mailing lists. This will allow you to perform proper quoting
when replying :-)

Andy

[1]
http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux