POSTROUTING

POSTROUTING

[capsx]

Hello!

Is it possible in POSTROUTING as source to specify a chain:

f.e.

iptables -N LOCAL_NET
iptables -A INPUT -i eth1 -s 10.0.0.9 -j LOCAL_NET

iptables -t nat -A POSTROUTING -o eth0 -s LOCAL_NET -j SNAT --to ip.ad.re.ss

-- 

-[capsx]-

Re: POSTROUTING

[Alexis]

But, this is not right, LOCAL_NET is not a target, you need at least to
create a new chain called LOCAL_NET to use it as a target.

Im not shure if you can use a chain as a match.



On Wed, 2004-02-18 at 12:08, capsx wrote:
> Hello!
> 
> Is it possible in POSTROUTING as source to specify a chain:
> 
> f.e.
> 
> iptables -N LOCAL_NET
> iptables -A INPUT -i eth1 -s 10.0.0.9 -j LOCAL_NET
> 
> iptables -t nat -A POSTROUTING -o eth0 -s LOCAL_NET -j SNAT --to ip.ad.re.ss
-- 
Alexis <alexis@attla.net.ar>

Re: POSTROUTING

[capsx]

iptables -N LOCAL_NET <- new chain
iptables -A INPUT -i eth1 -s 10.0.0.9 -j LOCAL_NET <- add adress to 
chain LOCAL_NET

is there something wrong ?


-[capsx]-


Alexis wrote:
> But, this is not right, LOCAL_NET is not a target, you need at least to
> create a new chain called LOCAL_NET to use it as a target.
> 
> Im not shure if you can use a chain as a match.
> 
> 
> 
> On Wed, 2004-02-18 at 12:08, capsx wrote:
> 
>>Hello!
>>
>>Is it possible in POSTROUTING as source to specify a chain:
>>
>>f.e.
>>
>>iptables -N LOCAL_NET
>>iptables -A INPUT -i eth1 -s 10.0.0.9 -j LOCAL_NET
>>
>>iptables -t nat -A POSTROUTING -o eth0 -s LOCAL_NET -j SNAT --to ip.ad.re.ss

R: POSTROUTING

[giovanni costagliola]

??

try to explain what you mean.

*g

*g> -----Messaggio originale-----
*g> Da: netfilter-admin@lists.netfilter.org
*g> [mailto:netfilter-admin@lists.netfilter.org]Per conto di capsx
*g> Inviato: mercoledi 18 febbraio 2004 19.07
*g> A: Netfilter
*g> Oggetto: Re: POSTROUTING
*g> 
*g> 
*g> 
*g> iptables -N LOCAL_NET <- new chain
*g> iptables -A INPUT -i eth1 -s 10.0.0.9 -j LOCAL_NET <- add adress to 
*g> chain LOCAL_NET
*g> 
*g> is there something wrong ?
*g> 
*g> 
*g> -[capsx]-
*g> 
*g> 
*g> Alexis wrote:
*g> > But, this is not right, LOCAL_NET is not a target, you need at least to
*g> > create a new chain called LOCAL_NET to use it as a target.
*g> > 
*g> > Im not shure if you can use a chain as a match.
*g> > 
*g> > 
*g> > 
*g> > On Wed, 2004-02-18 at 12:08, capsx wrote:
*g> > 
*g> >>Hello!
*g> >>
*g> >>Is it possible in POSTROUTING as source to specify a chain:
*g> >>
*g> >>f.e.
*g> >>
*g> >>iptables -N LOCAL_NET
*g> >>iptables -A INPUT -i eth1 -s 10.0.0.9 -j LOCAL_NET
*g> >>
*g> >>iptables -t nat -A POSTROUTING -o eth0 -s LOCAL_NET -j SNAT --to ip.ad.re.ss
*g> 
*g> 

Re: POSTROUTING

[Antony Stone]

On Wednesday 18 February 2004 6:26 pm, capsx wrote:

> !
>
> I want as source to specify a chain
> not -s 10.0.0.0/27 but something like -s LOCAL_NET_CHAIN

You can't do that.   -s takes an address or network range.   -i takes an 
interface name.   You cannot specify anything else as the 'source' of a 
packet.

Tell us why you want to do this and we might be able to suggest an alternative 
(MARKing packets comes to mind, for example).

Regards,

Antony.

-- 
What is this talk of "software release"?
Our software evolves and matures until it is capable of escape, leaving a 
bloody trail of designers and quality assurance people in its wake.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: POSTROUTING

[capsx]

!

I want as source to specify a chain
not -s 10.0.0.0/27 but something like -s LOCAL_NET_CHAIN


-[capsx]-


giovanni costagliola wrote:

 > ??
 >
 > try to explain what you mean.
 >
 > *g
 >
 > *g> -----Messaggio originale-----
 > *g> Da: netfilter-admin@lists.netfilter.org
 > *g> [mailto:netfilter-admin@lists.netfilter.org]Per conto di capsx
 > *g> Inviato: mercoledi 18 febbraio 2004 19.07
 > *g> A: Netfilter
 > *g> Oggetto: Re: POSTROUTING
 > *g> *g> *g> *g> iptables -N LOCAL_NET <- new chain
 > *g> iptables -A INPUT -i eth1 -s 10.0.0.9 -j LOCAL_NET <- add adress 
to *g> chain LOCAL_NET
 > *g> *g> is there something wrong ?
 > *g> *g> *g> -[capsx]-
 > *g> *g> *g> Alexis wrote:
 > *g> > But, this is not right, LOCAL_NET is not a target, you need at 
least to
 > *g> > create a new chain called LOCAL_NET to use it as a target.
 > *g> > *g> > Im not shure if you can use a chain as a match.
 > *g> > *g> > *g> > *g> > On Wed, 2004-02-18 at 12:08, capsx wrote:
 > *g> > *g> >>Hello!
 > *g> >>
 > *g> >>Is it possible in POSTROUTING as source to specify a chain:
 > *g> >>
 > *g> >>f.e.
 > *g> >>
 > *g> >>iptables -N LOCAL_NET
 > *g> >>iptables -A INPUT -i eth1 -s 10.0.0.9 -j LOCAL_NET
 > *g> >>
 > *g> >>iptables -t nat -A POSTROUTING -o eth0 -s LOCAL_NET -j SNAT 
--to ip.ad.re.ss
 > *g> *g>
 >

Re: POSTROUTING

[Antony Stone]

On Wednesday 18 February 2004 11:45 pm, Arnt Karlsen wrote:

> On Wed, 18 Feb 2004 18:25:34 +0000,
> Antony Stone <Antony@Soft-Solutions.co.uk> wrote in message
>
> <200402181825.35022.Antony@Soft-Solutions.co.uk>:
> > On Wednesday 18 February 2004 6:26 pm, capsx wrote:
> > >
> > > I want as source to specify a chain
> > > not -s 10.0.0.0/27 but something like -s LOCAL_NET_CHAIN
> >
> > You can't do that.   -s takes an address or network range.   -i takes
> > an interface name.   You cannot specify anything else as the 'source'
> > of a packet.
>
> ..I suspect he means he wants " -s $LOCAL_NET " or somesuch, such
> variables needs first be defined like ' LOCAL_NET="10.0.0.0/27" ',
> for larger sites, it's possible to script these definitions, check the
> http://tldp.org/LDP/abs/html/ over at http://tldp.org/guides.html for
> ideas.

I guess you might be right - he may have a sufficiently complex set of 
internal network ranges that he's matching them in a user-defined chain, and 
then wants to perform later rules depending on whether that chain matched or 
not.

If that's the case, then I suggest to "capsx":

match the addresses in your local network and jump to a user-defined chain 
when a match occurs, then do what you want for local packets in the 
user-defined chain.

For example:

# create a user-defined chain for local packets
iptables -N LOCAL_NET
# match the three segments of our local network
iptables -A FORWARD -s 192.168.1.0/24 -j LOCAL_NET
iptables -A FORWARD -s 192.168.10.0/24 -j LOCAL_NET
iptables -A FORWARD -s 192.168.100.0/24 -j LOCAL_NET
# now process the packets which came from the local network/s
iptables -A LOCAL_NET -j LOG --log-prefix="Local packet: "
# packets which didn't come from the local network/s will never see
# the user-defined chain

Hope this gets the idea across?

Antony.

-- 
Christmas was an opportunity to upgrade to kernel 2.6 while no-one was around 
to notice the downtime.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: POSTROUTING

[Arnt Karlsen]

On Wed, 18 Feb 2004 18:25:34 +0000, 
Antony Stone <Antony@Soft-Solutions.co.uk> wrote in message 
<200402181825.35022.Antony@Soft-Solutions.co.uk>:

> On Wednesday 18 February 2004 6:26 pm, capsx wrote:
> 
> > !
> >
> > I want as source to specify a chain
> > not -s 10.0.0.0/27 but something like -s LOCAL_NET_CHAIN
> 
> You can't do that.   -s takes an address or network range.   -i takes
> an interface name.   You cannot specify anything else as the 'source'
> of a packet.
> 
> Tell us why you want to do this and we might be able to suggest an
> alternative 

..I suspect he means he wants " -s $LOCAL_NET " or somesuch, such
variables needs first be defined like ' LOCAL_NET="10.0.0.0/27" ', 
for larger sites, it's possible to script these definitions, check the 
http://tldp.org/LDP/abs/html/ over at http://tldp.org/guides.html for
ideas.

> (MARKing packets comes to mind, for example).

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.