Reputation: 372
Iptables NAT and Masquerade rules - what do they do?
i've followed a tutorial (in german) on setting up a WiFi Router (Access Point) on a Raspberry Pi. Following the tutorial i had to add the following iptable rules:
iptables -A FORWARD -o eth0 -i wlan0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Unfortunately i dont have any experience with iptables and would like to know what the rules mean/do?
Upvotes: 4
Views: 19768
Answers (1)
Reputation: 280
I go through the rules, and explain each at once: for understanding the flow, refer to the iptables chart
iptables -A FORWARD -o eth0 -i wlan0 -m conntrack --ctstate NEW -j ACCEPT
In the FORWARD chain, you appended a rule which says: if any packet comes newly, from wlan0 to eth0, the filter lets it pass, and tracks that connection as NEW (which means: follows its change of state).
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
For any packets coming, tracked as ESTABLISHED or RELATED, the filter lets it pass
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
For the NAT table (which contains the FORWARD chain), in the POSROUTING chain, any packet leaving eth0 forgets its inner IP address (so, stays behind a NAT), and gets the one of eth0: MASQUERADE stands for masking the address.
Upvotes: 7
Related Questions
- 2 iptables rules I don't understand
- NAT punching implementation
- iptables input, output rules
- Iptables dnat/snat rule internal
- NAT on TCP connections
- iptables forward and nat ruls
- iptables moving from filter table back to nat table
- NAT, P2P and Multiplayer
- understanding netfilter REDIRECT Target
- IPTABLES: ping and wget work although they does not