FORWARD and NAT
Sun, 16 Jul 2000 15:28:55 +0200
Rusty Russell wrote:
> In message <396C874C.6EFCBAD6@gmx.de> you write:
> > do I have to add a forward rule for replies on masqueraded packets?
> > e.g. if I have my local network 192.168.1.0/24 on eth0 and the gateway/firewa
> > 192.168.1.1, i have a rule that forwards packets from localnet to the interne
> > iptables -A FORWARD -t ACCEPT -s 192.168.1.0/24 -i eth0 -o ippp0
> > masquerading is done in the chain POSTROUTING in the nat table.
> > Are incoming replies on masqueraded packets demasqueraded before they reach t
> > FORWARD chain?
> Yes. The rule is simple: NAT doesn't alter packet filtering. So
> ignore NAT when you are writing your packet filtering rules.
Seems I understand the system now:
- packets from the local network are masqueraded and they go through FORWARD.
They don't go through INPUT or OUTPUT at all.
- same for replies on these masq'ed packets. they are demasq'ed and go through
is that right?
That seems to be much easier than the ipchains solution which needed
INPUT+OUTPUT rules in order to route outgoing packets, and two more I+O rules
for the replies on those. So, now 2 FORWARD rules do the same as 4 rules did
before. - That's quite cool!