iptables - NAT table

Jeremy Fowler jfowler at westrope.com
Mon Jul 8 15:56:21 CDT 2002 

> Hello:
>
> Can someone please clear my head on the nat table's
> SNAT, DNAT, MASQUERADE. I'm kind of confused.
>
> Please correct if wrong, this is what I understand
> about NAT assuming there's a LAN and a DMZ:
>
> When a packet comes in from the internet (external
> interface) requesting a web page (dport 80) I can
> forward this request to the web server in the DMZ like
> this:
>
> iptables -t nat -A PREROUTING -i <external interface>
> -dport 80 -j dnat --to-destination <dmz webserver>

Almost:
 iptables -t nat -A PREROUTING -i <external interface>
 --dport 80 -j DNAT --to-destination <dmz webserver>

> iptables -t nat -A OUTPUT -o <internal interface> -j
> dnat --to-destination <dmz webserver>

Nope, don't need this one.

>
> is this correct?
> What is actually confusing me are the PREROUTING,
> POSTROUTING, and OUTPUT chains. Pre means before, when
> the packet comes into the external interface?

No, the packet _before_ it gets routed by the kernel.

> Post means after, after the router/firewall decides is
> not intended for the localhost. Then, prepares the
> packet to be sent to the server of this service.

Correct, after it has been routed by the kernel and filtered by the FORWARD
chain in the default table. It is passed thru the POSTROUTING chain before it
goes out the interface.

> Please help me understand these chains since I am
> getting ready to start developing a firewall and I
> would like to understand what I'm doing...

#
# The Netfilter System:
#
# --->[PRE]------>[ROUTE]--->[FWD]-------->[POST]--->
#      Conntrack     |       Filter   ^    NAT (Src)
#      Mangle        |                |    Conntrack
#      NAT (Dst)     |             [ROUTE]
#      (QDisk)       V                |
#                  [IN] Filter      [OUT] Conntrack
#                    |  Conntrack     ^   Mangle
#                    |                |   NAT (Dst)
#                    V                |   Filter
#

>
> Thank you in advance for all your help.
>
>
> =====
> "An ounce of gold cannot buy an ounce of time."
> - Anonymous
>
>
> www.whmicro.com
>
> __________________________________________________
> Do You Yahoo!?
> Sign up for SBC Yahoo! Dial - First Month Free
> http://sbc.yahoo.com
>
>

More information about the Kclug mailing list