On 3/9/07, David A. Long <[EMAIL PROTECTED]> wrote:
The iptables NETMAP target looks like it might do this
efficiently ...
It may. I don't know if NETMAP also invokes the connection tracking
and packet rewriting stuff or not. If not, then protocols which need
to know about their own addresses (e.g., FTP) may get tripped up.
But I cannot understand how the "source" IP address gets rewritten in the
packet with this target. The NETMAP documentation is very terse and never
mentions the source address, only the destination.
Well, I've never used NETMAP myself, but my guess is that the
address which should be rewritten (source or destination) would be
implied by whether the NETMAP target is being invoked from the
PREROUTING or POSTROUTING table. If NETMAP is being invoked from the
PREROUTING table, then it should rewrite the destination address, so
the kernel can route the packet appropriately. If NETMAP is being
invoked from the POSTROUTING table, then it should rewrite the source
address, so the other end sees the correct sender.
If I'm right, the "--to" switch does not mean "host this packet is
going TO", but rather, "network to map traffic TO". So your second
rule says to rewrite ${LAN_NET}.0/24 to ${WAN_NET}.0/24.
Yah?
-- Ben
_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
