Hi Cory On Mon, Mar 12, 2001 at 10:38:34AM -0800, Cory Petkovsek wrote: > Hi Michael, thanks. > > I understand how subnetting works, but perhaps not other > things (apparently). I did this: > privateIP = "10.0.0.0/24" > So I could match, anything that starts with a 10.
No. That would only match 10.0.0.anything, not 10.anything. (i.e. it would NOT match 10.1.2.3 or 10.0.5.6 etc.) See below for details. > I believe (please check me if I'm wrong) that ip packets do > not carry a subnet with them, just ip addresses. Meaning That is correct. This isn't really about subnets, though. > !$privateIP should match 10.0.0.5 and 10.1.0.5, regardless of > the subnets the machines are configured with. Nope :) You're right that it doesn't depend on the subnets the machines are configured with, but that doesn't make 10.0.0.0/24 match 10.anything :) > [snip] > > > # Private net 1: SNAT to outside > > > iptables -t nat -A POSTROUTING -s $intnet1 -d ! $privateIP -j SNAT \ > > > --to-source $extip > > > > > > # Private net 2: SNAT to outside > > > iptables -t nat -A POSTROUTING -s $intnet2 -d ! $privateIP -j SNAT \ > > > --to-source $extip > > > I thought the above rules explicitly stated: "Anything coming > > > from 10.0.x (intnet1) going to anywhere but 10.x SNAT to > > > > No, it's going to anywhere but 10.0.0.x. > > A packet without subnet information should match those rules, right? > -s 10.0.0.0/8 or -s 10.0.0.0/16 or -s 10.0.0.0/24 > should all match a packet with a source of 10.0.0.5, > regardless of subnet mask. Or am I way off base? 10.0.0.0/8 will match 10.0.0.5, or 10.1.0.5 (or 10.255.255.5 etc.) 10.0.0.0/16 will match 10.0.0.5, but NOT 10.1.0.5. It WILL match 10.0.255.5, though.) 10.0.0.0/24 will match 10.0.0.5, but NOT 10.1.0.5 or even 10.0.255.5. It will ONLY match 10.0.0.x, where x is in the range 0 - 255. 10.0.0.0 in binary is: 00001010.00000000.00000000.00000000 /24 means the first three octets are significant in the packet you're trying to match. 10.0.0.5 in binary is: 00001010.00000000.00000000.00000101 The first 24 bits of that are: 00001010.00000000.00000000 The first 24 bits of 10.0.0.0 are the same, therefore the packet matches. Now, lets check 10.1.0.5. In binary, this is: 00001010.00000001.00000000.00000101 The first 24 bits of this (because of the /24 again) are: 00001010.00000001.00000000 This is NOT the same as the first 24 bits of 10.0.0.0. Therefore the packet does NOT match. Now, lets try a rule with 10.0.0.0/8 instead of /24. IP -> binary -> first 8 10.0.0.0 -> 00001010.00000000.00000000.00000000 -> 00001010 10.0.0.5 -> 00001010.00000000.00000000.00000101 -> 00001010 10.1.0.5 -> 00001010.00000001.00000000.00000101 -> 00001010 These are all the same, therefore both packets match the rule. Does it make sense now? i.e. you should change your privateIP = "10.0.0.0/24" to "10.0.0.0/8" Hope that helps. -- Michael Wood | Tel: +27 21 762 0276 | http://www.kingsley.co.za/ [EMAIL PROTECTED] | Fax: +27 21 761 9930 | Kingsley Technologies
