|
The only time you need to be concerned with the placement of rules is when you are dealing with rules in the same chain.
There are three tables in netfilter by default:
- Mangle
- NAT
- Filter
Any packet that arrives at your interface will always follow the above path from top to bottom.
Inside each table there are several default chains:
- Mangle
------- Prerouting (Add marks, TOS, etc before routing process occurs)
------- Output (Add marks, TOS, etc to packets originating locally)
- NAT
------- Prerouting (Affects packets before routing process)
------- Output (Affects packets originating locally)
------- Postrouting (Affects packets after routing process)
- Filter
------- Input (Affects packets coming in on an interface)
------- Output (Affects packets going out on an interface they were received on)
- Forward (Affects packets going in one interface and out another - between networks)
Rules in each chain should be placed in order of expected use. The reason for this is that once a packet matches a rule the action is preformed and the packet does consume anymore system resources. If you run a webserver you probably want the first rule in your input chain to be "iptables -A INPUT -p tcp --dport 80 -j ACCEPT".
You can view your rules and their positions using the command: "iptables -vnL --line-numbers". By default this shows the filter table. Use "-t" to show a different table. "iptables -vnL --line-numbers -t nat" will show all rules in the nat table including their position in their chains.
To answer your question... SNAT is preformed in the postrouting chain of the nat table, and since you will probably only have one rule for this you don't really need to worry about other changes effecting your SNAT rule. Just make sure that you are accepting traffic on the LAN interface (INPUT chain) and you employ a stateful firewall. There are always exceptions to this, but I don’t think you are creating anything phenomenal here.
Hope this helps.
Last edited by SirGertrude; 11-15-2005 at 06:56 PM.
|
