Problem with routing decisions, and multihop

Lluís Batlle viriketo at gmail.com
Tue Jul 5 07:52:52 CEST 2005


Again between lines...
On 7/4/05, /dev/rob0 <rob0 at gmx.co.uk> wrote:
> On Monday 04 July 2005 11:54, Lluís Batlle wrote:
> > > >>NE1=192.168.16.0/28
> > > >>NE2=192.168.17.0/28
> > >
> > > Let's see, those are .0-.15 on the last quad.
> > >
> > > >>NLOCAL=192.168.0.0/20
> > >
> > > And this is 0.0 through 15.255 ... IOW, wrong, excluding both $NE1
> > > and $NE2. Try 192.168.16.0/23. It would not hurt for you to brush
> > > up on TCP/IP and subnetting basics.
> >
> > Oh. Is it wrong? I don't understand what's "IOW". Where should I try
> > your proposed subnet? why?
> 
> IOW="in other words", a common Internet shorthand.
> 
> 192.168.0.0/20, set as $NLOCAL in your iptables script, excludes your
> IP addresses and networks. No packet hitting the rules which refer to
> that value will match, so the rules are ignored.
Why? in the LAN (eth0, 192.168.0.0/20) there are many computers... if
I change it to 192.168.0.0/16, eth1 and eth2 _won't_ be appart
subnetworks! It's important to them to be excluded.
IOW, there must be no intersection between the networks of the different NICs.
> 
> The rules to which I am referring:
> $IPTABLES -t nat -A POSTROUTING -o eth1 -s $NLOCAL -j SNAT --to $IPE1
> $IPTABLES -t nat -A POSTROUTING -o eth2 -s $NLOCAL -j SNAT --to $IPE2
> Your SNAT rules.
> 
> Change "NLOCAL=192.168.0.0/20" to "NLOCAL=192.168.0.0/16", or as
> previously suggested, "NLOCAL=192.168.16.0/23". I suppose you could
> even omit the source specification altogether:
> $IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to $IPE1
> $IPTABLES -t nat -A POSTROUTING -o eth2 -j SNAT --to $IPE2
Will, that way, the kernel maintain connection-tables for SNAT even
for local connections?
> ###  Kids, don't try this at home. Professional stunt driver on a
> ###  closed track.
> iptables -N InputLogDrop
> iptables -N ForwardAllow
> iptables -A InputLogDrop -j ACCEPT
> iptables -A FORWARD -j InputLogDrop
> iptables -A ForwardAllow -j LOG
> iptables -A ForwardAllow -p tcp -j REJECT
> iptables -A ForwardAllow -j DROP
> iptables -A INPUT -j ForwardAllow
> ###  For my next trick, I will campaign to be elected Prime Minister.
> ###  Thank you for your support in the polls.
:)))
> Perhaps it doesn't break anything, but I have read here that only
> packets of --state NEW hit the -t nat PREROUTING chain. I don't know
> about the relationship between connection tracking and NAT.
Can you give a link about that?
> 
> "RFC 1918 netblocks" is simply another form of shorthand to refer to
> IPv4 ranges which are reserved for private use, namely 10.0.0.0/8,
> 172.16.0.0/12, and 192.168.0.0/16. I rarely read RFC's myself (but I
> must confess to a fondness for RFC 1149. :) )
Hahaha :)



More information about the netfilter mailing list