<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<STYLE type=text/css> <!--@import url(D:\FTTX\scrollbar.css); --></STYLE>
<META http-equiv=Content-Type content=text/html;charset=utf-8><BASE
target=_blank>
<STYLE type=text/css> <!--@import url(D:\FTTX\scrollbar.css); --></STYLE>
<BASE target=_blank>
<STYLE type=text/css><!--body {font-family: "宋体"; font-size: 10pt}td { font-family: "宋体"; font-size: 10pt}--></STYLE>
<META content="MSHTML 6.00.2900.6380" name=GENERATOR></HEAD>
<BODY style="FONT-SIZE: 10.5pt; MARGIN: 10px" bgColor=#ffffff>
<DIV><FONT face="Times New Roman" size=3>Dear </FONT></DIV>
<DIV><FONT face="Times New Roman" size=3></FONT> </DIV>
<DIV><FONT face="Times New Roman" size=3>How are you?</FONT></DIV>
<DIV><FONT face="Times New Roman" size=3></FONT> </DIV>
<DIV><FONT face="Times New Roman" size=3>I'm Sally from VCOM. I had sent the
email about the VCOM to you, i believe you have know something about it, right?
The attachment is the specification of the HDMI cable, you can choose which one
you like and tell me , i will reply you as soon as possible.</FONT></DIV>
<DIV><FONT face="Times New Roman" size=3></FONT> </DIV>
<DIV><FONT face="Times New Roman" size=3>Waiting for your reply.</FONT></DIV>
<DIV><FONT face="Times New Roman" size=3></FONT> </DIV>
<DIV><FONT face="Times New Roman" size=3>Thanks & best
regard.</FONT></DIV><SPAN id=fttx_sign_begin></SPAN>
<DIV>
<DIV><FONT size=3><STRONG></STRONG></FONT> </DIV>
<DIV><FONT size=3><STRONG>Sally</STRONG> <BR>Vcom International
Ltd<BR> <BR>E-mail:vcom18@vcom.hk<BR>MSN:vcom18@hotmail.com<BR>Tel:
+86-20-22832571<BR>Fax:+86-20-22832562</FONT></DIV>
<DIV><FONT size=3>Mob:+86-15999942105</FONT></DIV>
<DIV><FONT size=3>Skype:vcom18<BR>Address:Youke Business Center. Bulding D
2F/1,Kexin Rd,Tangxia,Tianhe District, Guangzhou City,Guangdong Province,China
</FONT></DIV>
<DIV> </DIV></DIV><SPAN id=fttx_sign_end></SPAN></BODY></HTML>
Hi,
I'm seeing something strange that I do not understand. According to
iptables documentation[1], port forwarding rules are defined on the
PREROUTING chain in the nat table, and masquerading rules are defined
on the POSTROUTING chain also in the nat table (plus the needed
additional rules in chain FORWARD in the filter table). I'm testing a
simple escenario:
An OpenSUSE 12.3 server with two interfaces, one connected to the
192.168.1.0/24 (external network) on eth0, and connected to
192.168.10.0/24 (internal network) on eth1:
FW_DEV_EXT="eth0"
FW_DEV_INT="eth1"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
If I define:
FW_FORWARD_MASQ="192.168.1.102,192.168.10.111,tcp,2222,22"
I will correctly see rule created on PREROUTING:
Chain PREROUTING (policy ACCEPT 8 packets, 869 bytes)
pkts bytes target prot opt in out source destination
1 60 DNAT tcp -- eth0 * 192.168.1.102
0.0.0.0/0 tcp dpt:2222 to:192.168.10.111:22
The same happens for masquerading for this rule:
FW_MASQ_NETS="192.168.10.0/24,0/0"
I will correctly see the rule created on POSTROUTING:
Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
6 395 MASQUERADE all -- * eth0 192.168.10.0/24 0.0.0.0/0
BUT, if both variables are defined at the same time, an additional
rule in the POSTROUTING chain will be created for the port forwarding
rule defined in FW_FORWARD_MASQ. Look at this:
Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
6 395 MASQUERADE all -- * eth0 192.168.10.0/24 0.0.0.0/0
0 0 MASQUERADE tcp -- * eth0 192.168.1.102
0.0.0.0/0 tcp dpt:22
Now there's an additional masquerading rule (the second one) for the
external host 192.168.1.102. Note that that host is on the network
connected to the firewall on eth0, and the output interface is also
eth0, with the destination port of the port forwading rule in
FW_FORWARD_MASQ. This doesn't make any sense to me, is this correct ?
why that rule appears only when both FW_MASQ_NETS and FW_FORWARD_MASQ
are defined and not when only the latter is defined ? both rules work
ok, I'm just wondering why that extra rule that doesn't seem to have
any use.
[1] http://netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html
Cheers,
--
JLB
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org