[CLUE-Tech] iptables NAT question on RedHat 7.1
Dave Anselmi
anselmi at americanisp.net
Sat Oct 20 21:22:55 MDT 2001
jason at matchingmoms.com wrote:
> Thanks, Dave.
>
> I wanted to follow up on the first part of your comments. My physical setup
> is below. Could you explain, in more detail, why it is a problem to use the
> same hub to route all of these boxes together? I would think the hub
> wouldn't care that all are on the same subnet; it just looks at the packets
> and finds some ethernet card which matches the front of the packets?
Well, let's see. You're right that the hub doesn't care. The hub doesn't even
look at ethernet addresses - all packets that come in go back out on all wires
and it's up to the cards to do the ethernet packets. Switches are a little
different, but the result is mostly the same. (Network diagram at end for
reference.)
Here's what you want to happen (s and d represent source and dest addresses in
each packet):
browser firewall server
---- s 192.168.0.101 ---> DNAT ---- s 192.168.0.4 --->
d 192.168.0.4 SNAT d 192.168.0.200
<--- s 192.168.0.4 ---- SNAT <--- s 192.168.0.200 ----
d 192.168.0.101 d 192.168.0.4
Note that to get the first packet to the server with the firewall's source
address, you need SNAT in that direction, as well as DNAT. Otherwise the source
address is the browser's and that is where the reply will go.
Here's what happens in your setup:
browser firewall server
---- s 192.168.0.101 ---> DNAT ---- s 192.168.0.101 --->
d 192.168.0.4 d 192.168.0.200
<--- s 192.168.0.200 ---- bypassed! <--- s 192.168.0.200 ----
d 192.168.0.101 d 192.168.0.101
More information about the clue-tech
mailing list