dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
25792
share rss forum feed

chibislick

join:2009-07-10

[Tomato] tomato firmware - NAT loopback settings

Could someone explain to me, technically, the difference between the NAT Loopback settings in Tomato firmware? What's the technical difference between Forwarded only and All?

Doesn't have to be very detailed, just a little bit more detailed than "Well one does all ports, other does forwarded only ports "

thanks!


upb
Premium
join:2004-03-15
Carriere, MS
kudos:1

To see the difference, telnet to your router and type

iptables -n -L -v -t nat

There you will see that the "all" option produces a POSTROUTING table similar to the following (Tomato v 1.23):

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination               
    0     0 MASQUERADE  0    --  *      ppp+    0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  0    --  *      br0     192.168.1.0/24    192.168.1.0/24
 
The first rule is always there and enables NAT for Internet connections.

The second rule causes the router to rewrite the source IP address of any packet originating from a local machine and bound for a local machine (including the router) to be the same as the IP address of the LAN interface of the router. This rule ignores the specific IP addresses of local machines.

When the "Forwarded Only" option is selected, the POSTROUTING table will instead look something like the following:

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       udp  --  *      *       192.168.1.0/24       192.168.1.150       udp dpts:5198:5199 to:1.2.3.4 
    0     0 SNAT       tcp  --  *      *       192.168.1.0/24       192.168.1.3         tcp dpts:9300:9330 to:1.2.3.4  
    0     0 MASQUERADE  0    --  *      ppp+    0.0.0.0/0            0.0.0.0/0
 

Here, the router will rewrite the source IP address (SNAT target) to be the same as the public IP address of the router before the packets are sent to the local machine that is listening on the forwarded port (or port range, in this case). Local machines which do not have ports forwarded to them are not included in the rules.

Bottom line: The "All" choice saves on the number of rules in the POSTROUTING table, but some people argue it may not be as secure as having rules which apply only to the specific local machines which are providing a port forwarded service.

Hope this is clearer than mud. :)


Napsterbater
Meh
Premium,MVM
join:2002-12-28
Milledgeville, GA
Reviews:
·Windstream

said by upb:

To see the difference, telnet to your router and type

iptables -n -L -v -t nat

There you will see that the "all" option produces a POSTROUTING table similar to the following (Tomato v 1.23):

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination               
    0     0 MASQUERADE  0    --  *      ppp+    0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  0    --  *      br0     192.168.1.0/24    192.168.1.0/24
 
The first rule is always there and enables NAT for Internet connections.

The second rule causes the router to rewrite the source IP address of any packet originating from a local machine and bound for a local machine (including the router) to be the same as the IP address of the LAN interface of the router. This rule ignores the specific IP addresses of local machines.
Ok you saying with "All" that 192.169.1.40 sending traffic to 192.168.1.50 will have the source address as 192.168.1.1 (router LAN) and .50 will respond to .1 which then send to .40?

but how, 192.168.1.40 sending traffic to 192.168.1.50 doesn't go trough the router to be rewritten.

--
AMD Phenom II x3 720 BE @ 3.5Ghz(OC) | 4Gb Memory @ 1600mhz | Sapphire ATI HD4870 1GB 800mhz/1000mhz(OC) | 2x500GB HDD's Raid 0 | Windows 7 Ultimate x64 Build 7100

upb
Premium
join:2004-03-15
Carriere, MS
kudos:1

said by Napsterbater:

Ok you saying with "All" that 192.169.1.40 sending traffic to 192.168.1.50 will have the source address as 192.168.1.1 (router LAN) and .50 will respond to .1 which then send to .40?

but how, 192.168.1.40 sending traffic to 192.168.1.50 doesn't go trough the router to be rewritten.
My explanation was probably not detailed enough, because in both loopback choices the PREROUTING chain is the same, and I decided to gloss over it.

When an internal machine attempts to reach a forwarded port by attempting to connect to the public IP of the router, the goal of the iptables rules is to rewrite the packets in such a way that the internal machine which is hosting the service "sees" a request which is coming from the router. When the machine responds to the router, its packets are rewritten by the router so that the router's IP address is changed to that of the machine which initiated the request. In that way, both internal machines are "fooled" into talking to each other via the router — a so-called loopback connection.

Some details:

The PREROUTING chain causes all packets which are bound for the public IP address and forwarded port to have their destination IP rewritten to be that of the local machine hosting the service. Eventually, those packets wind up going through the POSTROUTING chain, and their source IP address is rewritten (or not) according to the rules there. Only local machines which have attempted to connect to the public IP will be involved in the address rewriting. Once that is successful, machines attempting to connect to the router's public IP address and forwarded port will have their packets rewritten in such a way that the connection between two local machines will appear to each one to be a connection to the router itself. Since the IP address rewriting causes each local machine to see a connection involving the router, the resulting data flow passes through the router.

As you pointed out, local machines which attempt to initiate direct contact with one another are normally not even seen by the router.

Again, the PREROUTING chain is responsible for changing the destination IP address when necessary, and the POSTROUTING chain handles any rewriting of the source IP address. That loopback option that the OP asked about affects only the POSTROUTING chain.

Phew. I've rewritten this a number of times, and I'm still not sure it's very clear. You can always consult the iptables documentation over at »www.netfilter.org for fuller explanations. Good luck.


Napsterbater
Meh
Premium,MVM
join:2002-12-28
Milledgeville, GA
Reviews:
·Windstream

That's a little better, but I still don't see a difference between "Forwarded" and "All"

Unless "Forwarded" only includes those in "Basic" port-forwarding section of Tomato and All includes UPNP/NAT-PMP, DMZ and triggered.
--
AMD Phenom II x3 720 BE @ 3.5Ghz(OC) | 4Gb Memory @ 1600mhz | Sapphire ATI HD4870 1GB 800mhz/1000mhz(OC) | 2x500GB HDD's Raid 0 | Windows 7 Ultimate x64 Build 7100



Napsterbater
Meh
Premium,MVM
join:2002-12-28
Milledgeville, GA
Reviews:
·Windstream

It just hit me what the difference between forwarded and All probably is.

Forwarded only dose those that are in the "Basic" and "Triggered".

and ALL probably dose those plus all that are opened via general NAPT usage.

at least that's my best guess so far.
--
AMD Phenom II x3 720 BE @ 3.5Ghz(OC) | 4Gb Memory @ 1600mhz | Sapphire ATI HD4870 1GB 800mhz/1000mhz(OC) | 2x500GB HDD's Raid 0 | Windows 7 Ultimate x64 Build 7100