Problem with routing decisions, and multihop

Lluís Batlle viriketo at
Tue Jul 5 07:52:52 CEST 2005

Again between lines...
On 7/4/05, /dev/rob0 <rob0 at> wrote:
> On Monday 04 July 2005 11:54, Lluís Batlle wrote:
> > > >>NE1=
> > > >>NE2=
> > >
> > > Let's see, those are .0-.15 on the last quad.
> > >
> > > >>NLOCAL=
> > >
> > > And this is 0.0 through 15.255 ... IOW, wrong, excluding both $NE1
> > > and $NE2. Try It would not hurt for you to brush
> > > up on TCP/IP and subnetting basics.
> >
> > Oh. Is it wrong? I don't understand what's "IOW". Where should I try
> > your proposed subnet? why?
> IOW="in other words", a common Internet shorthand.
>, set as $NLOCAL in your iptables script, excludes your
> IP addresses and networks. No packet hitting the rules which refer to
> that value will match, so the rules are ignored.
Why? in the LAN (eth0, there are many computers... if
I change it to, eth1 and eth2 _won't_ be appart
subnetworks! It's important to them to be excluded.
IOW, there must be no intersection between the networks of the different NICs.
> The rules to which I am referring:
> $IPTABLES -t nat -A POSTROUTING -o eth1 -s $NLOCAL -j SNAT --to $IPE1
> $IPTABLES -t nat -A POSTROUTING -o eth2 -s $NLOCAL -j SNAT --to $IPE2
> Your SNAT rules.
> Change "NLOCAL=" to "NLOCAL=", or as
> previously suggested, "NLOCAL=". I suppose you could
> even omit the source specification altogether:
> $IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to $IPE1
> $IPTABLES -t nat -A POSTROUTING -o eth2 -j SNAT --to $IPE2
Will, that way, the kernel maintain connection-tables for SNAT even
for local connections?
> ###  Kids, don't try this at home. Professional stunt driver on a
> ###  closed track.
> iptables -N InputLogDrop
> iptables -N ForwardAllow
> iptables -A InputLogDrop -j ACCEPT
> iptables -A FORWARD -j InputLogDrop
> iptables -A ForwardAllow -j LOG
> iptables -A ForwardAllow -p tcp -j REJECT
> iptables -A ForwardAllow -j DROP
> iptables -A INPUT -j ForwardAllow
> ###  For my next trick, I will campaign to be elected Prime Minister.
> ###  Thank you for your support in the polls.
> Perhaps it doesn't break anything, but I have read here that only
> packets of --state NEW hit the -t nat PREROUTING chain. I don't know
> about the relationship between connection tracking and NAT.
Can you give a link about that?
> "RFC 1918 netblocks" is simply another form of shorthand to refer to
> IPv4 ranges which are reserved for private use, namely,
>, and I rarely read RFC's myself (but I
> must confess to a fondness for RFC 1149. :) )
Hahaha :)

More information about the netfilter mailing list