From: Ian Laurie <iml@zip.com.au>
To: netfilter@lists.netfilter.org
Subject: Re: Hi!
Date: Mon, 13 Jun 2005 00:55:14 +0000 [thread overview]
Message-ID: <1118624114l.11527l.2l@server.moose.blogdns.org> (raw)
In-Reply-To: <Pine.LNX.4.53.0506121914140.9775@altaica> (from tib@tigerknight.org on Mon Jun 13 10:26:35 2005)
On 06/13/2005 10:26:35 AM, Tib wrote:
> > > Caveat to what I just said - if you are doing masquerading behind a
> single
> > > IP, then you don't need to worry about the FORWARD ruleset. Only packets
> > > associated with connections that are being masqueraded will get sent on
> > > to internal networks - unless you have specific ports that are
> translated
> > > to internal services.
> >
> > Actually that isn't quite correct. With ip_forward on, network bridging
> is
> > enabled. Running NAT does not disable the bridging function. If a box on
> the
> > outside port sends a packet addressed to a box on the inside port, using
> the
> > firewall as its gateway, the packet will get through NAT. NAT runs on top
> > of the bridging function, so bridging still works, though only in one
> direction
> > since in the other direction packets will get NATed.
>
> Actually, it is 100% correct. Masquerading is a broad spectrum SNAT that
> will redirect return traffic associated with whatever it sends out back to
> the originating internal host. So if some new connection comes in to the
> external IP that isn't associated with any outbound connection, it hits
> the firewall and falls flat - this is why modules like ip_conntrack_ftp
> and ip_nat_ftp are necessary, and why dcc on irc clients tends to get
> borked, the list goes on.
Hi Tib,
We *may* be speaking at cross purposes. I agree with what you have said but
I am also correct. The issue is your statement "hits the firewall and falls
flat".
Your original paragraph doesn't make it clear to a beginner that you are
pre-supposing that there is a real firewall in place that will enforce NAT.
My point, that is also 100% correct, is that having a NAT rule alone does not
disable the bridging function.
The reality is that a lot of beginners "assume" that when they have NAT, their
internal addresses are unreachable from the outside and that simply isn't
the case with NAT alone (at least not with iptables under Linux).
That was the point I was making.
As for the rest of your post, you are forgetting the wider purpose of routers/
firewalls. For example, inside a company where you may have the
R&D department on one private address space, finance on another, etc., all
isolated with routers. In this scenario (which I work in) all you need to do
is use the "route" command to tell your machine where to send packets, and
suddenly private IP addresses are routable and *will* make it to the
firewall. Further, you can specifically allow certain machines (like mine)
to get through..... despite NAT in operation for all other packets.
That is, I can ssh etc. into boxes that sit behind NAT. I just wanted to make
the point that NAT alone doesn't prevent this, which wasn't obvious from your
post.
Ian
next prev parent reply other threads:[~2005-06-13 0:55 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-11 17:00 Hi! Billie Joe
2005-06-11 17:16 ` Hi! Tib
2005-06-11 17:56 ` Hi! Sadus .
2005-06-11 18:21 ` Hi! Tib
2005-06-11 18:22 ` Hi! Tib
2005-06-12 23:48 ` Hi! Ian Laurie
2005-06-13 0:26 ` Hi! Tib
2005-06-13 0:55 ` Ian Laurie [this message]
[not found] ` <1118623895l.11527l.1l@server.moose.blogdns.org>
2005-06-13 1:09 ` Hi! Tib
2005-06-13 1:27 ` FORWARD rules or not? (was: Re: Hi!) /dev/rob0
2005-06-13 1:47 ` Tib
2005-06-13 18:05 ` /dev/rob0
-- strict thread matches above, loose matches on Subject: below --
2023-03-31 9:16 Hi! pcrs1
2022-10-20 16:54 Hi ????????????????????????????????? mike williams
2020-10-30 15:49 Hi; gabrielthomas9010
2018-09-06 9:40 hi! zleachae-8Cmw1+NI3eNeoWH0uzbU5w
2018-09-04 20:53 hi! otre-8Cmw1+NI3eNeoWH0uzbU5w
2018-08-12 18:13 hi! audriafb-8Cmw1+NI3eNeoWH0uzbU5w
2015-12-11 19:43 Hi! Mr Guiya
2015-11-20 14:52 Hi , Stephane Hamelet
2015-11-20 14:52 ` Stephane Hamelet
2015-11-20 14:52 Stephane Hamelet
2014-10-13 9:39 Hi, ann ben
2013-10-26 4:15 Hi, John Reynolds
2013-10-26 5:04 ` Hi, Ben Greear
2012-12-06 17:18 Hi! Marketing Commucation
2012-12-06 17:18 Hi! Marketing Commucation
[not found] <20120329170349.Horde.RdBMRSoH6vhPdIflPy3mByA@correio.portugalmail.pt>
[not found] ` <CACeyogdBUoK-34Rxm_fzbw5OV75u8CiBSfzU=z5UUzv_RBvRQw@mail.gmail.com>
2012-03-31 6:04 ` hi, Kevin
2012-03-31 9:20 ` hi, Andreas Ericsson
2012-03-12 12:44 Hi, horia.geanta
2010-07-11 8:22 Hi! Мария Сергеева
2010-06-02 19:12 [RFC][PATCH 21/26] alsa: ASoC: Add JZ4740 ASoC support Lars-Peter Clausen
2010-06-03 12:48 ` Liam Girdwood
2010-06-03 16:50 ` Lars-Peter Clausen
2010-06-03 17:03 ` Liam Girdwood
2010-06-03 17:16 ` Lars-Peter Clausen
2010-06-03 17:25 ` Liam Girdwood
2010-06-03 18:14 ` [alsa-devel] " Troy Kisky
2010-11-14 13:29 ` hi!!!! dkisky
2009-10-14 20:36 Hi! Justin Yaple
2009-08-25 7:14 hi, Bill Xie
2009-08-11 8:28 hi, Bill Xie
2008-08-20 8:43 Hi! Eric Anopolsky
2008-08-20 18:25 ` Hi! Chris Mason
2008-08-21 10:47 ` Hi! Miguel Sousa Filipe
2008-08-24 7:02 ` Hi! Steve Long
2008-08-25 21:56 ` Hi! Miguel Sousa Filipe
2008-05-27 22:08 Hi ! Miss. Joysin Plany
2007-07-29 22:30 Hi! Kenya Vasquez
2007-07-12 22:08 Hi! Jaime Stinson
2007-07-09 10:12 Hi! Sandy Rojas
2007-06-03 16:21 Hi! Samantha
2007-04-07 17:02 Hi, ms joy
2007-04-07 17:01 Hi, ms joy
2007-04-07 16:59 Hi, ms joy
2007-04-07 16:59 Hi, ms joy
2006-08-20 17:48 HI! Doug Shultz
2006-08-20 17:48 HI! Doug Shultz
2006-03-11 15:27 HI ! Romero Ryan
2005-06-05 12:13 Hi!! Alberto Rossi
2005-06-05 8:27 Hi!! Alberto Rossi
2005-05-12 7:29 Hi! venkata ramesh
2004-11-25 13:09 Hi! naroth-qDHaf3XTt0D7Za/I2yyZNw
2003-07-14 18:33 Hi! Ferenc Kiraly
2003-07-14 19:29 ` Hi! Dieter Nützel
2001-06-16 10:37 Hi! Olga Georgieva
2000-03-14 14:19 Hi! Sebastien Articlaux
2000-03-14 21:05 ` Hi! Wolfgang Denk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1118624114l.11527l.2l@server.moose.blogdns.org \
--to=iml@zip.com.au \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.