[WBEL-users] iptables pre and post routing confusion

Kirby Bohling kbohling@birddog.com
Tue, 3 Aug 2004 22:17:04 -0500 

On Tue, Aug 03, 2004 at 10:42:58PM -0400, fefe@fefe.2y.net wrote:
> Hey all,
> 
> I'm a bit confused, I understand what the prerouting rules and postrouting
> rules are for but I dont understand when each part comes to play ie
> prerouting to postrouting. When does prerouting happen, and what needs to 
> happen
> before it happends? when the does kernel come to play? Is there a good
> book for this? or can someone explain in detail what happends to a packet
> when going through different nat/routers and what rules can be thrown into
> my linux firewall.

Read up on netfilter and iproute2.

Here's the guides one of the main netfilter guys wrote:
http://www.netfilter.org/documentation/index.html#documentation-howto

Tooling around from there, you can find some interesting links.

The one that actually has an ASCII diagram that answers your
question is here:

http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html

You might want to look at this first:

http://lartc.org/howto/

That one probably the most useful hands on howto, I've seen.
While not always explaining all the gory details, the Cookbook
section is highly useful.

The mailing lists associated with lartc.org are highly useful
assuming you present enough information.  A lot of times, they just
refer you to the documentation, but generally, they refer you to
precisely the paragraphs that answer your question.

	In the end, pre-routing happens before a routing decision is
made.  post-routing happens after a routing decision happens.  I
know that sounds obvious, but it's the answer to your question.
It'll work better with an example.

	The reason you have two different ones, is for something like
using SNAT or MASQ.  We have 2 network connections, a T1 and a cable
modem. Depending on what type of traffic it is, we force it to one
connection or the other.  Well, the way that's done is via iptables
rules that mangle the source IP address.  The Policy based router
notices the Source IP and forces it to go out the correct interface
(the quick and dirty version is that using Policy based routing,
we've setup two different routing tables depending on the source IP,
the default for T1 IP's is out the T1, the default for the cable
IP's is out the cable modem).  So all you have to do is get the
source IP correct, and the PBR does the rest.  

If you did the source IP mangle as a post-routing rule, I'd send
packets with the cable modem IP out the T1 interface and vice versa.
That'd be really bad.

It's there solely so you can have some rules that will have affects
on the routing, and some that don't.  There can be different types
of mangling that you want to happen after routing decisions have
been made.  You put those on the post-routing chains.  I can't come
up with any compelling examples of the post-routing rules, but I
believe there are certain types of mangles that can only happen
post-routing.

> 
> Also, maybe a myth but I've heard with the wrong nat router settings
> someone can use your linux nat router as a gateway and masquerade as you.
> Is this just sillyness? I think I need a book that explains this stuff
> from the beginning of the formation of a packet all the way to reaching my
> machine inside my network and then back the other direction.

	Sure that's possible.  I could easily do something like that in
iptables.  If they could force the packets to get to you, yes,
that's possible.  You'd have to do something dreadfully foolish in
order to pull it of, but yes in theory it could be done.  This is
why you use egress filtering, and spend a lot of time running test
packets thru the system to see what they do.

	Don't take this the wrong way, but you don't sound like you have
lots of hands on experience in this area (neither do I, but I've
read up on it because routing is kinda cool to me).  Whatever it is
you want to do, has probably been done before.  If it hasn't, more
then likely there is something in the LARTC cookbook.  They are
generally pretty good about security in there.  Try and see if you
can use it as the basis for your design, and you should be okay.

	Kirby

> 
> Eric
> 
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users
>