iptables question
Ben Scott
dragonhawk at gmail.com
Fri Mar 9 20:54:58 EST 2007
On 3/9/07, David A. Long <dave at jumpshift.com> wrote:
> The iptables NETMAP target looks like it might do this
> efficiently ...
It may. I don't know if NETMAP also invokes the connection tracking
and packet rewriting stuff or not. If not, then protocols which need
to know about their own addresses (e.g., FTP) may get tripped up.
> But I cannot understand how the "source" IP address gets rewritten in the
> packet with this target. The NETMAP documentation is very terse and never
> mentions the source address, only the destination.
Well, I've never used NETMAP myself, but my guess is that the
address which should be rewritten (source or destination) would be
implied by whether the NETMAP target is being invoked from the
PREROUTING or POSTROUTING table. If NETMAP is being invoked from the
PREROUTING table, then it should rewrite the destination address, so
the kernel can route the packet appropriately. If NETMAP is being
invoked from the POSTROUTING table, then it should rewrite the source
address, so the other end sees the correct sender.
If I'm right, the "--to" switch does not mean "host this packet is
going TO", but rather, "network to map traffic TO". So your second
rule says to rewrite ${LAN_NET}.0/24 to ${WAN_NET}.0/24.
Yah?
-- Ben
More information about the gnhlug-discuss
mailing list