|
||||||||||
Molle Bestefich skrev: > Manuel Kasper wrote: > >> Assuming you're doing NAT on the WAN interface, then for outbound >> packets on WAN, NAT is applied after the packet has passed through >> the filter - therefore, the filter will see the original, private >> source IP address. >> For inbound packets on WAN, NAT is applied before the filter gets the >> packet >> - therefore, it'll also see the proper private IP address in the >> destination field > > > Ok, makes more sense now, thanks for explaining. > I can see how that scheme would work ;-). > > If WAN-specific NAT is performed as a reaction to a packet leaving > that particular interface, then that implies that it's performed not > only after the filter, but also after the kernel router. I guess > that's ok, since in this case we're translating the source address, so > the router will have delivered the packet to the correct interface. > But perhaps it could pose a problem with source-based routing? > > Aside from the fact that the current scheme needs to sit in a very > specific place to work (which might or might not interfere with > source-based routing or something entirely else), I think it's an > unnecessarily complicated solution :-). > Sometimes simple tings can sound complicated. Almost every firewall and router works in this way. Perhaps a picture can help? http://www.halleforshunden.org/nat-filter.png /Anders |