Re: NAT and packets from localhost

From: Krishnakumar. R (krishnakumar@naturesoft.net)
Date: Fri Jan 24 2003 - 02:14:14 EST


Hi,

This is what I think.

U are dropping all incoming packets to your firewall.
Other than lan packets.
So all the replies from external net are also dropped.

While doing NAT you are not processing packets
at the input so you are able to connect
to outside world from lan

U need to accept packets at your INPUT hook
to process replies from external world.
U can go for state ful filtering for security.

If I am wrong (any one) please correct me.

Hope it helps.
Regards
KK

On Friday 24 January 2003 09:29 am, Rindolf wrote:
> Hi. This is probably a configuration problem, but I'm not sure. It
> seems strange. I have a home lan using the 192.168.0.0/24 addresses
> behind a firewall machine using NAT. The NAT works just fine, it seems
> to be able to keep track of connections, even replies to udp packets
> are handled correctly. However, replies to packets sent from the
> machine itself, not using NAT, are blocked by the packet filter. This
> is of course very inconvenient, as I can't do anything from this
> computer that talks to the internet. I can't figure out what's wrong.
> I'm using kernel 2.4.10. Perhaps this is a bug that has since been
> fixed? I hope this is an appropriate place to ask this.
>
> $outaddr is the outside address.
>
> #iptables -t filter -L -n

> Chain INPUT (policy DROP)
> target prot opt source destination ACCEPT
> all -- 192.168.0.0/24 0.0.0.0/0 ACCEPT all --
> 0.0.0.0 0.0.0.0/0 # I put this in to allow dhcp
> requests.
> LD all -- 0.0.0.0/0 0.0.0.0/0

> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination

> Chain LD (1 references)
> target prot opt source destination LOG
> all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
> DROP all -- 0.0.0.0/0 0.0.0.0/0

> #iptables -t nat -L -n
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> Chain POSTROUTING (policy DROP)
> target prot opt source destination SNAT
> all -- 192.168.0.0/24 0.0.0.0/0 to:$outaddr
> ACCEPT all -- $outaddr 0.0.0.0/0
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html



This archive was generated by hypermail 2b29 : Fri Jan 31 2003 - 22:00:01 EST