[Jwall-developers] Re: problems with nat

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hallo Developers

On Tue, 11 Nov 2003 17:33:44 +0100
J=F6rg Sch=FCtter <jw...@sc...> wrote:

> Hy all
>=20
> I discovered a problem with the nat rules, but I'm not sure what the
> best solution for this problem is.
> Assume we have the following situation (this situation is more academic
> than real):
> We have a NAT rule which says:
> Orig Source: A1 (10.0.0.1)
> Orig Dest: A2 (10.0.0.2)
> Orig Service: http
> Xlated Source: B1 (192.168.0.1)
> Xlated Dest: B2 (192.168.0.2)
> Xlated service: telnet
>=20
> The script lines generated by jwall are:
> /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.1 -d 10.0.0.2 -p 6 \
>     --destination-port 80 -j SNAT --to-source 172.16.0.1:23
> /sbin/iptables -t nat -A PREROUTING -s 10.0.0.1 -d 10.0.0.2 -p 6 \
>     --destination-port 80 -j DNAT --to-dest 172.16.0.2:23
>=20
> The destination port must only modified once. Which is the best place
> for doing this? I think this depends on the access rule which controls
> this traffic.
> What do you think would be the source, the destination and the service
> of such a rule?

I should reread my mails before sending them to the world.
Since the filter table is checked after the PREROUTING and before the
POSTROUTING chain we only have options 3 and 4.
>=20
>         Source          Destination             Service
> [3]     10.0.0.1        192.168.0.2             80
> [4]     10.0.0.1        192.168.0.2             23

What do you think would be the choice of an user when selecting the
service to permit.

Instead of building the nat rules based on ip parameters, we could also
build these rules on MARK flags. In the mangle table of the PREROUTING
chain we could mark these packets (the mark value is an 16 bit integer).
I think we can also use this mark value in the filter chain, but I don't
have any idea how to make this feature transparent to the user in the
gui.

J=F6rg

--=20
J=F6rg Sch=FCtter           http://www.lug-untermain.de/
jo...@sc...     http://www.schuetter.org/joerg/
ICQ: 298982789          http://mypenguin.bei.t-online.de/