[CentOS] OT : iptables/arptables question

Tue Jan 27 20:15:04 UTC 2009
Filipe Brandenburger <filbranden at gmail.com>


On Tue, Jan 27, 2009 at 14:14, Fabian Arrotin <fabian.arrotin at arrfab.net> wrote:
> On the other hand, 10 minutes after i had sent my mail (and 3 coffee
> later to be precise) i saw also a picture from wikipedia
> (http://upload.wikimedia.org/wikipedia/fr/thumb/3/3e/Netfilter_schema.png/400px-Netfilter_schema.png)

Interesting diagram! I tried to look for the Wikipedia page that links
to it, but no luck. Where did you find it? Is there an article with

> explaining how packets went through the different ip tables and it was
> directly clear : even packets leaving the local box (and being processed
> in the OUTPUT filter) are still processed in the nat table (postrouting
> filter) so a simple SNAT rule did the job perfectly too ;-)

That was my first thought, configuring a NAT for it. I actually
thought that you would be able to solve it by adding a SNAT entry in
the OUTPUT chain of the nat table, but when I checked the man page I
saw that SNAT can only be used in POSTROUTING. As I assumed you
already had a POSTROUTING SNAT rule catching all and you still had the
problem with the firewall itself, I did not mention it, but now I see
that it makes sense as you need a separate rule for that as the
interface is different.

> I've also had a look in the sysconfig.txt file to see how your solution
> could be applied but it's still not very clear how that can be done. But
> using GATEWAYDEV=eth3 (eth3 having my public-ip/32 while eth3:1 having
> my 192.168.X.X/24 ip) in the /etc/sysconfig/network and declaring a
> GATEWAY=192.168.X.X (isp router ip) in the ifcfg-eth3:1 does also the
> job. But a `route -n` is strange though : "
>         U     0      0        0 eth3" like for the old ppp
> stuff

> one coffee cup later i see in sysconfig.txt documentation file for the
> paramaters of ifcfg-<interface-name> : "SRCADDR=  use the specified
> source address for outgoing packets" .. so definitely resolved by
> sysconfig files (so a clean solution)

Cool! That's real easy! Glad to know that.

> So multiple ways to solve the initial question ...

Great! I learned something today! :-)