Brian Henning wrote:
<snip>
and vice versa. If someone else out there knows of a way to make
this work via iptables alone, I'd be mighty interested in it, because
I can't come up with a way, and it sure feels like there should be one.
What about having one of the rules in PREROUTING and one in
POSTROUTING? Such as the DNAT rule in the PREROUTING chain and the
SNAT rule in the POSTROUTING chain (all in the nat table)? According
to this (
http://www.linuxhomenetworking.com/wiki/images/f/f0/Iptables.gif ) it
looks like packets do go through both PRE and POST chains in the nat
table before being passed back out an interface.. Though that seems
deceptively simple enough to figure that Joyner must have already
though of it and figured out why it wouldn't work..
To quote from the snipped part of the message:
You can do either one with the DNAT or SNAT targets in iptables,
respectively. Unfortunately, both of these targets terminate rule
processing and immediately deliver your packet on it's merry way, out
the interface.
And later in the same paragraph:
Some people seem to be suggesting that you can just use an additional
SNAT to fix the problem (and believe me, it seemed logical before
reading the iptables man page, and I did try - oh did I try), but my
testing proves out that this simply does not work. Once the packet
matches the DNAT rule, you get no more opportunity to match any
appropriate SNAT rules, and vice versa.
One of the generally common concept across *NIX based firewalling
systems (iptables on Linux, pf on OpenBSD, ipfw2 on FreeBSD, etc) is a
"terminating rule". Basically, when you match such a given rule target,
that's the end of the processing, and the packet stops traversing the
firewall ruleset entirely, and is written to the interface. Both SNAT
and DNAT, according to the man page and all of my testing, are
terminating rules. Thus, they can't be combined w/o some crazy magic
that I don't think exists in iptables. At least with ipfw2 in FreeBSD,
I know there's a nerd knob* for 'continue processing rules after any
terminating match', but I don't know of any such option for iptables (I
didn't look too hard, though).
Let it be said that I'm a died in the wool Linux fan...
Aaron died in the wool? That's tragic! When's the funeral?
;-)
Hmm... even spell check couldn't save me from that one. :)
Aaron S. Joyner
* - http://www.catb.org/jargon/html/N/nerd-knob.html
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
