NAT tables chains

Can some pls xplain to me how the Pre-Routing, Output and the
Post-routing chains works. I understand when one wants to masquerade,
i've to use the post-routing, what's the function of pre-routing. I
think, it shld help the packets been replied to a LAN be identified
with the original sender. I'm not really sure. Can some1 help to
clarify this?

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.0.0/255
this will allow network translation for packets comin from hosts on LAN
192.168.1.0 network to the eth0 which the external network (internet).

Also, when masquerading, is it the post-routing alone that matters or
both it, pre-routing and output.

(E-Mail Removed) wrote:
> Can some pls xplain to me how the Pre-Routing, Output and the
> Post-routing chains works. I understand when one wants to masquerade,
> i've to use the post-routing, what's the function of pre-routing. I
> think, it shld help the packets been replied to a LAN be identified
> with the original sender. I'm not really sure. Can some1 help to
> clarify this?
>
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.0.0/255
> this will allow network translation for packets comin from hosts on LAN
> 192.168.1.0 network to the eth0 which the external network (internet).
>
> Also, when masquerading, is it the post-routing alone that matters or
> both it, pre-routing and output.
>

You got a lot of questions concerning iptables, why don't you just have
a look at the documentation?

However, Prerouting will route incoming packets to the internal net. If
you got a HTTP server behind a route/firewall Prerouting would tell the
router to forward incoming traffic at a certain port or official
ip-address to an internal server and port.

The Output chain is only used by the local router/firewall. If you want
to restrict outgoing traffic from your LAN you need to setup rules in
the Forward chain.

Eric

ty u for takin the pain to reply. I went thru the howto
(netfilter.org), i got the concept but didn't get the implementation.
However, I got the filter table quite fine while I'm left withs
question in the NAT table.
So how does packet returnin to LAN hosts from the internet gets its
original packet requests. My thinkin is may be thru the pre-routing
config.
By sayin returnin packets I mean packets that originated from the LAN
hosts due to its request to a remote service (web) thru the router.
These packets I believe returns to the router and the router has to
find a way of identifyin the original sender of such packets, is that
what pre-routin does?

(E-Mail Removed) wrote:
> ty u for takin the pain to reply. I went thru the howto
> (netfilter.org), i got the concept but didn't get the implementation.
> However, I got the filter table quite fine while I'm left withs
> question in the NAT table.
> So how does packet returnin to LAN hosts from the internet gets its
> original packet requests. My thinkin is may be thru the pre-routing
> config.
> By sayin returnin packets I mean packets that originated from the LAN
> hosts due to its request to a remote service (web) thru the router.
> These packets I believe returns to the router and the router has to
> find a way of identifyin the original sender of such packets, is that
> what pre-routin does?
>

Sorry for being so rude! I didn't know you read the howto's already!

Your client (LAN) makes a request to your router since it is responsible
to forward the traffic (routing table); it will forward the traffic and
remembers the connections by analyzing the TCP/IP headers.

Your client (on the way to the world) will connect to your router, your
router will know the request (SYN) and is going out to www. It will
remember the source address/port and the destination address/port.
Because of these informations (and some more, f.E. ACK), it will find
the right way back to your client, if the connection is related or
established to the one your client has requested.

Eric

Eric Teuber wrote:
>>These packets I believe returns to the router and the router has to
>>find a way of identifyin the original sender of such packets, is that
>>what pre-routin does?

And no that has nothing to do with prerouting, plz look at your posts
earlier.

Eric

(E-Mail Removed) wrote:
> By sayin returnin packets I mean packets that originated from the LAN
> hosts due to its request to a remote service (web) thru the router.
> These packets I believe returns to the router and the router has to
> find a way of identifyin the original sender of such packets, is that
> what pre-routin does?

No, that is either plain routing (if no NAT is involved) or called "NAT
connection tracking" and handled by the conntrack modules that are part
of netfilter.