Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[iptables] null nat mapping
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Colin Lindo
n00b
n00b


Joined: 18 Feb 2003
Posts: 2
PostPosted: Tue Feb 18, 2003 9:47 pm    Post subject: [iptables] null nat mapping Reply with quote
hi all!

in the netfilter nat-howto you can find a short description of the "null nat mapping" (6.3.2).

well, there stands, that you can define the target "-j ACCEPT" to accept any connection, without doing nat on it.

i applied the following rule to one of my routers between two subnets (two nic's)..

#iptables -t nat -A POSTROUTING -o eth1 -j ACCEPT

..because i wanted to achieve just a simple "packetforwarding", but it didn't work.

the usual "nat-rule"..

#iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.x.x.x

..works without problems.

thanks in advance for any explanation..

colin
Back to top
View user's profile Send private message
jukka
Apprentice
Apprentice


Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland
PostPosted: Wed Feb 19, 2003 12:16 am    Post subject: Re: [iptables] null nat mapping Reply with quote
hi colin,

Colin Lindo wrote:
i applied the following rule to one of my routers between two subnets (two nic's)..

#iptables -t nat -A POSTROUTING -o eth1 -j ACCEPT

..because i wanted to achieve just a simple "packetforwarding", but it didn't work.

what does "didn't work" mean? what did you expect, and to what extent the results differed with your expectations?

Quote:
the usual "nat-rule"..

#iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.x.x.x

..works without problems.

let me guess: at least one of your nodes does not know a route for at least one node on the opposite side of the router.

an example: let's assume you have four nodes (A, B, C and D) and three subnets (X, Y and Z). node A resides in subnet X, node C resides in subnet Y, node B connects (routes between) subnets X and Y, and node D connects subnets Y and Z. let's further assume that node B is node A's default gateway, and node D is node C's default gateway. lets compare source nat and null nat mappings:
  • SNAT
    node A wants to connect to node C. packets go from node A via node B to node C, and because node B alters the source address of every packet to an address for which node C knows a route (i.e. node B's address), response packets from node C find their way back to node B, where the destination address of every packet is altered to that of node A. packets are then sent back to node A.

  • NULL NAT
    node A wants to connect to node C. packets go from node A via node B to node C, and because node B does not alter the packets source addresses, and node C does not know how to send packets to subnet X, response packets from node C are sent to its default gateway, which is node D. what happens then is not predictable without knowing how node D is configured, but assuming it's a properly set up router it should drop or reject (no holy wars about this one, please ;-)) the packet, because its source address does not belong to a directly connected subnet.

if you don't understand what i'm trying to say you could try this: set up a null nat mapping, run e.g. tcpdump on all nodes, and send packets from node A to node C. see where they end up...

hth, jukka

Last edited by jukka on Wed Feb 19, 2003 10:47 am; edited 2 times in total
Back to top
View user's profile Send private message
Colin Lindo
n00b
n00b


Joined: 18 Feb 2003
Posts: 2
PostPosted: Wed Feb 19, 2003 8:28 am    Post subject: Re: [iptables] null nat mapping Reply with quote
thanx a lot jukka,

now i got the point!

p.s. i think you made a little node mistake in your explanation. here is the corrected version (changes are bold):

jukka wrote:
an example: let's assume you have four nodes (A, B, C and D) and three subnets (X, Y and Z). node A resides in subnet X, node C resides in subnet Y, node B connects (routes between) subnets X and Y, and node D connects subnets Y and Z. let's further assume that node C is node A's default gateway, and node D is node B's default gateway. lets compare source nat and null nat mappings:
Back to top
View user's profile Send private message
jukka
Apprentice
Apprentice


Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland
PostPosted: Wed Feb 19, 2003 10:42 am    Post subject: Re: [iptables] null nat mapping Reply with quote
Colin Lindo wrote:
p.s. i think you made a little node mistake in your explanation. here is the corrected version

you're right. there were even more errors. i think i was too tired ;-) (i applied the changes to my post)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy