All of lore.kernel.org
 help / color / mirror / Atom feed
* Re: Syntax/NAT OUTPUT
  2002-07-09 22:59 Syntax/NAT OUTPUT Tim
@ 2002-07-09 20:27 ` Antony Stone
  0 siblings, 0 replies; 3+ messages in thread
From: Antony Stone @ 2002-07-09 20:27 UTC (permalink / raw)
  To: iptables-list

On Tuesday 09 July 2002 11:59 pm, Tim wrote:

> Scenario: router eth0 to Fwall 192.168.2.2
>                Fwall eth0 from router 192.168.2.1
>                Fwall eth1 from DMZ 172.16.1.1
>                Fwall eth2 from LAN 192.168.1.1
>
> My understanding of concepts of filtering and nat
>
> Pinging from the router eth0 thu Fwall eth2 to LAN, it first goes through
> PREROUTING nat table then the filter INPUT----this the path it takes to get
> to any box in the LAN .....yes ?

No.   Packets only go through the INPUT chain if they are addressed to the 
firewall itself.

If they are being routed through the firewall to something on the other side, 
they go through the FORWARD chain.

You're right about them going through PREROUTING first, though, and they also 
go through POSTROUTING afterwards.

> To get a reply from this ping it must go thru the NAT OUTPUT then filter
> OUTPUT.....this is my understanding of the return path for this ping from
> the router eth0.....is this correct so far ?

The OUTPUT chain is only for packets originating on the firewal itself, so 
unless you type the ping command on the firewall, the OUTPUT chains 
(filtering and nat) are not involved.

 

Antony.


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Syntax/NAT OUTPUT
@ 2002-07-09 22:59 Tim
  2002-07-09 20:27 ` Antony Stone
  0 siblings, 1 reply; 3+ messages in thread
From: Tim @ 2002-07-09 22:59 UTC (permalink / raw)
  To: iptables-list

[-- Attachment #1: Type: text/plain, Size: 3177 bytes --]

Scenario: router eth0 to Fwall 192.168.2.2
               Fwall eth0 from router 192.168.2.1
               Fwall eth1 from DMZ 172.16.1.1  
               Fwall eth2 from LAN 192.168.1.1

My understanding of concepts of filtering and nat

Pinging from the router eth0 thu Fwall eth2 to LAN, it first goes through PREROUTING nat table then the filter INPUT----this the path it takes to get to any box in the LAN .....yes ?

To get a reply from this ping it must go thru the NAT OUTPUT then filter OUTPUT.....this is my understanding of the return path for this ping from the router eth0.....is this correct so far ? If so what would be the syntax for the NAT OUTPUT in order to get and echo-reply. This is the portion of the script for my NAT configuration.

Mind, ppl, I just started leaning this........any suggestion will most certainly be welcomed and appreciated...TIA...
 
--snip--

## PREROUTING ##
iptables -A PREROUTING -t nat -s 192.168.2.0/24 -d 192.168.1.0/24 -j DNAT --to 192.168.1.0
## POSTROUTING ##
iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -d 192.168.2.0/24 -j SNAT --to 192.168.2.0
#
## NAT OUTPUT ##
iptables -A OUTPUT -t nat -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT             ## It looks like this is where the problems is at, syntax ?? ##
#
#
## FORWARD traffic between INTERNAL and DMZ
iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-reply -j ACCEPT                            ## This should enable me to forward ping request and replies 
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT        ## universally.....yes...??##
#
## INPUT manage traffic coming into this box ##
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth2 -p icmp -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.2.2 -d 192.168.1.0/24 -p icmp -j ACCEPT     ## I configured this in order to ping the eth0 on the router ##
#                                                                                                                                               ## and it works fine.....this is where it stops, it has no way ## 
## OUTPUT manage traffic going out of this box ##                                                      ## to reply to this packet hence forth my dilemma ##  
#iptables -A OUTPUT -o eth2 -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT
#iptables -A OUTPUT -o eth2 -s 192.168.1.0/24 -p icmp --icmp-type echo-reply -j ACCEPT
#iptables -A OUTPUT -o eth1 -s 172.16.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT
#iptables -A OUTPUT -o eth1 -s 172.16.1.0/24 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -s 192.168.1.0/24 -j ACCEPT

--snip--

---
Tim Rodriguez -- Mia/Fla.
Network Security Student
---
I prefer to be a dreamer 
  among the humblest,
with visions to be realized,
than a lord among those without
  dreams and desires.










 

[-- Attachment #2: Type: text/html, Size: 6430 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* RE: Syntax/NAT OUTPUT
@ 2002-07-09 21:58 George Vieira
  0 siblings, 0 replies; 3+ messages in thread
From: George Vieira @ 2002-07-09 21:58 UTC (permalink / raw)
  To: 'Tim', iptables-list

[-- Attachment #1: Type: text/plain, Size: 3522 bytes --]

As Anthony says it passed straight through via FOWARD chain..
 
Refer to this page for the diagram.. this helped me understand the way the
packet traverse the rules immensely..
 
http://iptables-tutorial.haringstad.com/iptables-tutorial.html#TRAVERSINGOFT
ABLES
<http://iptables-tutorial.haringstad.com/iptables-tutorial.html#TRAVERSINGOF
TABLES> 
 

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au <http://www.citadelcomputer.com.au/> 

-----Original Message-----
From: Tim [mailto:twr@bellsouth.net]
Sent: Wednesday, 10 July 2002 9:00 AM
To: iptables-list
Subject: Syntax/NAT OUTPUT


Scenario: router eth0 to Fwall 192.168.2.2
               Fwall eth0 from router 192.168.2.1
               Fwall eth1 from DMZ 172.16.1.1  
               Fwall eth2 from LAN 192.168.1.1
 
My understanding of concepts of filtering and nat
 
Pinging from the router eth0 thu Fwall eth2 to LAN, it first goes through
PREROUTING nat table then the filter INPUT----this the path it takes to get
to any box in the LAN .....yes ?
 
To get a reply from this ping it must go thru the NAT OUTPUT then filter
OUTPUT.....this is my understanding of the return path for this ping from
the router eth0.....is this correct so far ? If so what would be the syntax
for the NAT OUTPUT in order to get and echo-reply. This is the portion of
the script for my NAT configuration.
 
Mind, ppl, I just started leaning this........any suggestion will most
certainly be welcomed and appreciated...TIA...
  

--snip--

## PREROUTING ##
iptables -A PREROUTING -t nat -s 192.168.2.0/24 -d 192.168.1.0/24 -j DNAT
--to 192.168.1.0
## POSTROUTING ##
iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -d 192.168.2.0/24 -j SNAT
--to 192.168.2.0
#
## NAT OUTPUT ##
iptables -A OUTPUT -t nat -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
## It looks like this is where the problems is at, syntax ?? ##
#
#
## FORWARD traffic between INTERNAL and DMZ
iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-reply -j ACCEPT
## This should enable me to forward ping request and replies 
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT        ##
universally.....yes...??##
#
## INPUT manage traffic coming into this box ##
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth2 -p icmp -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.2.2 -d 192.168.1.0/24 -p icmp -j ACCEPT
## I configured this in order to ping the eth0 on the router ##
#
## and it works fine.....this is where it stops, it has no way ## 
## OUTPUT manage traffic going out of this box ##
## to reply to this packet hence forth my dilemma ##  
#iptables -A OUTPUT -o eth2 -s 192.168.1.0/24 -p icmp --icmp-type
echo-request -j ACCEPT
#iptables -A OUTPUT -o eth2 -s 192.168.1.0/24 -p icmp --icmp-type echo-reply
-j ACCEPT
#iptables -A OUTPUT -o eth1 -s 172.16.1.0/24 -p icmp --icmp-type
echo-request -j ACCEPT
#iptables -A OUTPUT -o eth1 -s 172.16.1.0/24 -p icmp --icmp-type echo-reply
-j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -s 192.168.1.0/24 -j ACCEPT

--snip--

---
Tim Rodriguez -- Mia/Fla.
Network Security Student
---
I prefer to be a dreamer 
  among the humblest,
with visions to be realized,
than a lord among those without
  dreams and desires.


 

 


 

 
 

[-- Attachment #2: Type: text/html, Size: 7811 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-07-09 22:59 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-07-09 22:59 Syntax/NAT OUTPUT Tim
2002-07-09 20:27 ` Antony Stone
  -- strict thread matches above, loose matches on Subject: below --
2002-07-09 21:58 George Vieira

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.