Re: [Jwall-developers] problems with nat

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hallo zack,

On Tue, 11 Nov 2003 22:28:12 -0500
zack <za...@th...> wrote:

> I don't understand.  I am probably missing something you are saying, but=
=20
> it hasn't hit me yet.  But I've had a couple beers, so it might be=20
> obvious to everyone but me... :-)
>=20
> If for some reason you are doing a double NAT (BOTH src and dest),=20
> theoretical of course, but I have had to do that in production before,=20
> then I don't see the problem with the dport being modified twice.  If=20
> either the SNAT or the DNAT modify it, or both, the dport is still 80.=20

After modifying the destination port in the PREROUTING chain, the
POSTROUTING chain will never match since it looks for the unchanged
destination port.

>  My point is that if I change x =3D 80, then I change x =3D 80, it is sti=
ll 80.
>=20
> Perhaps this will add some overhead to iptables and the NAT state table.=
=20
>  I could definitely see that happening, as it is one more thing to=20
> track.  But I have yet to see a linux firewall cpu or memory bound.

This is very unlikely to happen. My firewall is a P133 with 64MB memory
and the system is 90% idle.
>=20
> J=F6rg Sch=FCtter wrote:
>=20
> >Hy all
> >
> >I discovered a problem with the nat rules, but I'm not sure what the
> >best solution for this problem is.
> >Assume we have the following situation (this situation is more academic
> >than real):
> >We have a NAT rule which says:
> >Orig Source: A1 (10.0.0.1)
> >Orig Dest: A2 (10.0.0.2)
> >Orig Service: http
> >Xlated Source: B1 (192.168.0.1)
> >Xlated Dest: B2 (192.168.0.2)
> >Xlated service: telnet
> >
> >The script lines generated by jwall are:
> >/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.1 -d 10.0.0.2 -p 6 \
> >    --destination-port 80 -j SNAT --to-source 172.16.0.1:23
> >/sbin/iptables -t nat -A PREROUTING -s 10.0.0.1 -d 10.0.0.2 -p 6 \
> >    --destination-port 80 -j DNAT --to-dest 172.16.0.2:23
> >
> >The destination port must only modified once. Which is the best place
> >for doing this? I think this depends on the access rule which controls
> >this traffic.
> >What do you think would be the source, the destination and the service
> >of such a rule?
> >
> >        Source          Destination             Service
> >[1]     10.0.0.1        10.0.0.2                80
> >[2]     10.0.0.1        10.0.0.2                23
> >[3]     10.0.0.1        192.168.0.2             80
> >[4]     10.0.0.1        192.168.0.2             23
> >[5]     192.168.0.1     10.0.0.2                80
> >[6]     192.168.0.1     10.0.0.2                23
> >[7]     192.168.0.1     192.168.0.2             80
> >[8]     192.168.0.1     192.168.0.2             23
> >
> >
> >J=F6rg
> >
> > =20
> >
>=20
>=20

J=F6rg

--=20
J=F6rg Sch=FCtter           http://www.lug-untermain.de/
jo...@sc...     http://www.schuetter.org/joerg/
ICQ: 298982789          http://mypenguin.bei.t-online.de/