IPTABLES help

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Could someone tell me what this line, that's been added to my router  
configuration at some stage, might be for:

iptables -t nat -I POSTROUTING -o <wan interface> eth1 -j SNAT --to <wan ip>

Thanks.

--  

Brian Gregory (in the UK).
To email me please remove all the letter vee from my email address.

Re: IPTABLES help
Drat, of course I meant:

iptables -t nat -I POSTROUTING -o <wan interface> -j SNAT --to <wan ip>

Thanks.

--  

Brian Gregory (in the UK).
To email me please remove all the letter vee from my email address.

Re: IPTABLES help
On Sun, 15 Nov 2015, in the Usenet newsgroup comp.security.firewalls, in article

Quoted text here. Click to load it

Stuff happens  ;-)

Quoted text here. Click to load it

http://www.netfilter.org/documentation/HOWTO/

   [TXT] NAT-HOWTO.txt 05-Oct-2012 10:33 25K

Section 6.1

   6.1.  Source NAT

  You want to do Source NAT; change the source address of connections to
  something different.  This is done in the POSTROUTING chain, just
  before it is finally sent out; this is an important detail, since it
  means that anything else on the Linux box itself (routing, packet
  filtering) will see the packet unchanged.  It also means that the `-o'
  (outgoing interface) option can be used.

  Source NAT is specified using `-j SNAT', and the `--to-source' option
  specifies an IP address, a range of IP addresses, and an optional port
  or range of ports (for UDP and TCP protocols only).

       ## Change source addresses to 1.2.3.4.
       # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

The whole HOWTO is about 700 lines

        Old guy

Re: IPTABLES help
On 15/11/2015 17:34, Moe Trin wrote:
Quoted text here. Click to load it

Thanks. I must try and read up on this stuff thoroughly some time.

I think I see why it might have been added, see my reply to 'Burkhard  
Ott' below.

--  

Brian Gregory (in the UK).
To email me please remove all the letter vee from my email address.

Re: IPTABLES help
On Sun, 15 Nov 2015 03:39:24 +0000, Brian Gregory wrote:

Quoted text here. Click to load it


All outgoing traffic is source natted with the IP of eth1.  

Re: IPTABLES help
On 15/11/2015 15:51, Burkhard Ott wrote:
Quoted text here. Click to load it

Didn't mean to type eth1 there, just <wan interface>. It's the WAN port.  
I think it's actually ppp0, not eth1. Though eth1 is the PPPoE  
connection going to be modem.

Is this perhaps making it so that all outgoing packets have the correct  
from IP, so that I can't unwittingly be part of, say, a botnet that is  
spoofing the source IP of outgoing packets?

Though I'm not sure that would work through NAT anyway.

--  

Brian Gregory (in the UK).
To email me please remove all the letter vee from my email address.

Re: IPTABLES help
On Tue, 17 Nov 2015 00:32:49 +0000, Brian Gregory wrote:

Quoted text here. Click to load it

Well then it shoud be ppp0, you should see then a ppp0 interface too if  
you do a ip a l.

  
Quoted text here. Click to load it

What? If that would be a modification from malware, then you'd have a  
much bigger problem, since these rules need to be set by root.

Quoted text here. Click to load it

Why not? It's just IP.

cheers

Re: IPTABLES help
On 17/11/2015 02:09, Burkhard Ott wrote:
Quoted text here. Click to load it

No.

I mean maybe that line was added by someone to make it impossible for us  
to be part of a botnet, or whatever, that is sending packets with a  
spoofed from address?

--  

Brian Gregory (in the UK).
To email me please remove all the letter vee from my email address.

Re: IPTABLES help
On 11/17/2015 08:28 AM, Brian Gregory wrote:
Quoted text here. Click to load it

That rule doesn't prevent you from participating in a bot net.  It  
simply overrides the source address, making it so that you can't spoof  
your source IP.  You can still participate in a bot net, just with your  
real external IP.



--  
Grant. . . .
unix || die

Re: IPTABLES help
On 19/11/2015 03:55, Grant Taylor wrote:
Quoted text here. Click to load it

That's what I said.

--  

Brian Gregory (in the UK).
To email me please remove all the letter vee from my email address.

Re: IPTABLES help
Quoted text here. Click to load it
 ip>

This makes your internet work in your internal network if you don't
have routable IP addresses for it.

Greetings
Marc
--  
-------------------------------------- !! No courtesy copies, please !!  
-----
Marc Haber         |   " Questions are the         | Mailadresse im  
Header
Mannheim, Germany  |     Beginning of Wisdom "     |  
http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621  
72739834

Site Timeline