Re: iptables 1.2.7a "iptables-save" bug?

From: William Bertram (magic.johnson@cox.net)
Date: 11/28/02 

From: William Bertram <magic.johnson@cox.net>
Date: Thu, 28 Nov 2002 22:32:13 GMT

As I understand it all of the actual packet filtering for masquerading is
done on the FORWARD chain of the FILTER table. That's what it says on
the "packet filtering how-to" at www.netfilter.org anyway.

Is there a need to modify the default policies on the NAT and MANGLE
tables if just using the following command for masq :

$iptables -t nat -A POSTROUTING -o $inet -j MASQUERADE

?

"D. Stussy" <kd6lvw@bde-arc.ampr.org> wrote in
news:Pine.LNX.4.44.0211260215410.16929-100000@exp.bde-arc.ampr.org:

> On Mon, 25 Nov 2002, William Bertram wrote:
>>"D. Stussy" <kd6lvw@bde-arc.ampr.org> wrote in
>>news:Pine.LNX.4.44.0211242207230.16158-100000@exp.bde-arc.ampr.org:
>>
>>>
>>> The fact that you redefine your firewall by using iptables instead
>>> of using iptables-restore may have something to do with it.
>>>
>
> OK, but as I said, no default policy for the nat table chains.
>
>>The NAT part is at the bottom of the script :
>>
>>#NAT
>>rules------------------------------------------------------------------
>>- #Set up Masquerading
>>$iptables -t nat -A POSTROUTING -o $inet -j MASQUERADE
>>
>>
>>I'm not redefining my firewall, I'm just using iptables-save to write
>>"running config to startup config" like with a cisco router. My
>>expectation was that if I have a working running config, and then run
>>iptables-save > /etc/sysconfig/iptables, that I would have the same
>>working configuration when the computer boots. Is that not a correct
>>assumption?
>
> Assuming that one does an "iptables-restore </etc/sysconfig/iptables"
> in the boot-up scripts somewhere, yes.
>

Relevant Pages

  • FW NAT and Keep State
    ... Re WiFi set up with three computer access. ... I know a little about Firewalls in relation to Packet Filtering, ... I have been told that with NAT there is no real need to have any ... inbound protection as NAT takes care of it. ...
    (comp.os.linux.networking)
  • Re: Double NAT?
    ... >>Is it possible to install a firewall that perform one time more the NAT? ... Because Zyxel perform only packet filtering, ... Transparent proxy for FTP, WEB. ...
    (comp.security.firewalls)
  • Re: iptables 1.2.7a "iptables-save" bug?
    ... On Thu, 28 Nov 2002, William Bertram wrote: ... >As I understand it all of the actual packet filtering for masquerading is ... >done on the FORWARD chain of the FILTER table. ... >>>expectation was that if I have a working running config, ...
    (comp.os.linux.security)
  • Re: suggestions on router w/firewall
    ... of using NAT, even with SPI, as a firewall method. ... describe standard NAT as a firewall service. ... That sentence refers to four concepts: NAT, router, simple packet filtering, ... created port table to packet header info, and NAT does change the packet. ...
    (comp.security.firewalls)
  • Re: Windows 2003 Server NAT not allowing IPSEC to go through.
    ... If I'm using NAT without any packet filtering or firewalling, these ports should just be open and the packets should just pass through, should they not? ... connect to their server using IPSec. ...
    (microsoft.public.win2000.ras_routing)