iptables nat problem

Hello,

I am using the following line to allow all inside to outside
traffic to be natted:

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

I think I get touble with throughput when using this.
I also think, there is traffic from inside to outside that should not be
there, because this rule is to general.

The Global TCP/UDP Protocol Distribution from ntop is about 60 % of other
tcp/udp based protos.

Sample:

Very often I cannot get web pages through my proxy running on that firewall.

Any help ?

Thanks

Lothar

Lothar Behrens wrote:
> Hello,
>
> I am using the following line to allow all inside to outside
> traffic to be natted:
>
> $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
>
> I think I get touble with throughput when using this.
> I also think, there is traffic from inside to outside that should not be
> there, because this rule is to general.

You might try $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $LAN -j
SNAT --to $INET_IP

The -s $LAN would only NAT packets from machines behind the firewall. As
written, it would also NAT the packets that the firewall itself sends
out. Not a huge issue, but no point in rewriting packets that don't need
it.

Not sure if using the --to $INET_IP instead of --to-source matters or
not, but it has been working well for me for years.

bryan
--
A Freudian slip is when you say one thing but mean your mother.

Bryan Packer <bryanp@visi.com.com> wrote in message news:<3f9a9bf9$0$75895$a1866201@authen.newsreader. visi.com>...

> You might try $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -s $LAN -j
> SNAT --to $INET_IP
>

So I would allow nat only for specific hosts instead $LAN.

> The -s $LAN would only NAT packets from machines behind the firewall. As
> written, it would also NAT the packets that the firewall itself sends
> out. Not a huge issue, but no point in rewriting packets that don't need
> it.

I have seen broadcasts coming from an external IP address on my client
(etheral). Is it possible that I have activated any routing of broadcasts or
is it the host that also has an internal network card where the broadcast comes
from ?

To do more restriction of what to nat, do I simply define $Host $port in that
rule ?

>
> Not sure if using the --to $INET_IP instead of --to-source matters or
> not, but it has been working well for me for years.
>
> bryan

Thanks

Lothar

Lothar Behrens wrote:

> I have seen broadcasts coming from an external IP address on my client
> (etheral). Is it possible that I have activated any routing of broadcasts or
> is it the host that also has an internal network card where the broadcast comes
> from ?

Not enough info to say really, but if there was another machine with both internal
and external interfaces on your network it could do that. I've seen similar things
from broken dial-up clients.

> To do more restriction of what to nat, do I simply define $Host $port in that
> rule ?

You certainly can. I happen to prefer leaving the NAT do NAT without filters, and
do my filtering in the FORWARD and OUTPUT tables. That's what they are there for.
Not mandatory, but it seems more logical to me.

bryan
--
A Freudian slip is when you say one thing but mean your mother.