FORWARD and NAT
Christoph =?iso-8859-1?Q?Sch=F6nfeld?=
christoph.schoenfeld@gmx.de
Sun, 16 Jul 2000 15:28:55 +0200
Rusty Russell wrote:
>
> In message <396C874C.6EFCBAD6@gmx.de> you write:
> > do I have to add a forward rule for replies on masqueraded packets?
> >
> > e.g. if I have my local network 192.168.1.0/24 on eth0 and the gateway/firewa
> ll
> > 192.168.1.1, i have a rule that forwards packets from localnet to the interne
> t
> >
> > iptables -A FORWARD -t ACCEPT -s 192.168.1.0/24 -i eth0 -o ippp0
> >
> > masquerading is done in the chain POSTROUTING in the nat table.
> > Are incoming replies on masqueraded packets demasqueraded before they reach t
> he
> > FORWARD chain?
>
> Yes. The rule is simple: NAT doesn't alter packet filtering. So
> ignore NAT when you are writing your packet filtering rules.
Seems I understand the system now:
- packets from the local network are masqueraded and they go through FORWARD.
They don't go through INPUT or OUTPUT at all.
- same for replies on these masq'ed packets. they are demasq'ed and go through
FORWARD again.
is that right?
That seems to be much easier than the ipchains solution which needed
INPUT+OUTPUT rules in order to route outgoing packets, and two more I+O rules
for the replies on those. So, now 2 FORWARD rules do the same as 4 rules did
before. - That's quite cool!
Christoph