Misconception Regarding Iptables

Discussion in 'Linux Networking' started by Quadibloc, Jan 2, 2013.

  1. Quadibloc

    Quadibloc Guest

    I'm trying to use iptables to do some custom routing of packets from
    one network between two other networks.

    I found it very odd that in PREROUTING, where one can specify DNAT,
    one can't use the -o command. In searching for help with my
    difficulty, it was noted that the command "ip" would be used to set up
    another layer of Linux networking for purposes of routing.

    I'm trying, with commands like

    iptables -A FORWARD -i eth0 -o eth1 -s
    iptables -A FORWARD -i eth0 -o eth2 -s

    to direct communications from two computers on eth0 to two different
    destinations; I'm also doing some address translation with PREROUTING
    commands as well.

    It seems that despite 192.168.x.x and 10.x.x.x addresses belonging to
    a private space, there is some assumption that if the same IP address
    can be reached, say, through eth1 and eth2, that will lead to the same
    thing, and the Linux routing mechanism is designed with that in mind.

    Similarly, I can give the command "telnet" and even
    specify that I won't be using the default port 23, but there is no way
    to specify that I want to telnet to the computer with IP address that will be reached via eth1, as opposed to what could be
    a completely different computer with the IP address that
    happens to be connected to the eth2 card.

    So I think that I have a very fundamental misconception as to how
    networking in Linux is designed to work; it's apparently not designed
    to facilitate the maximum reuse of local IP addresses that is
    physically possible through attaching computers with the same address
    to different disjoint routers or switches.

    John Savard
    Quadibloc, Jan 2, 2013
    1. Advertisements

  2. Hello,

    Quadibloc a écrit :
    Big misconception regarding iptables, indeed.
    Iptables does not do routing but packet filtering and mangling. It can
    only help in routing by marking packets with marks which can then be
    used for routing.
    Why do you find it odd ? The -o option (not command) is used to match
    (not route) packets with the specified output interface. But in the
    PREROUTING chain, before the routing decision takes place, the output
    interface is not known yet.
    The ip command does not "set up another layer of Linux networking for
    purposes of routing". It just sets up the IP routing in the Linux kernel.
    These rules have no target, so they do not have any effect.
    I repeat : iptables does not direct anything anywhere. It just does
    packet filtering and mangling, i.e. decide whether packets are accepted
    or dropped, or change some parts of the packets.
    Huh ? What do you mean ?
    Of course not. Haven't you heard about address uniqueness, which is one
    of the paradigms of the IP protocol ?
    I think you have a fundamental misconception about how the IP protocol,
    addressing and routing are designed to work in general, not only in the
    Linux kernel.
    Pascal Hambourg, Jan 4, 2013
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.