I want some explanation for the iptables which is given below.

1)
iptables -A FORWARD -i eth2 -o eth3 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth3 -o eth2 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

2)
iptables -A FORWARD -i eth3 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth2 -o eth3 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE

3)
iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 1024:65535 -d 192.168.1.249 --dport 4899 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp ! --syn -s 192.168.1.249 --sport 4899 --dport 1024:65535 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --sport 1024:65535 -d 114.143.28.204 --dport 4899 -j DNAT --to-destination 192.168.1.249

This 3 iptables commands is given by linux questions when i put questions in the forum and they replied me positively thanks for the cooperation.

As I am a newbie in linux whenever i got the problem i asked to linuxquestions, now i don't know the explanation of this commands

I want to ask you that in the 3rd command we had used PREROUTING why we not used POSTROUTING.

If possible please give me the explanation for the above commands

Thanking You,

Satish

The first rule says: all packets that come in eth2 and go out of eth3 and that are established should be accepted

The 2nd rule says: all packets going in eth3 and going out eth2 should be accepted

3rd rule: all traffic that goes out eth2 should be natted.

Same except eth2<->eth3 swapped.

1st rule: all packets that go in eth1 and go out eth2 and proto is tcp and source port is in range 1024-65535 and destination is 192.168.1.249 and destination port is 4899 should be accepted.

2nd: all packets coming in eth0 and going out eth2 and proto is tcp and it's not syn (connection estabilishing) packet, and source is 192.168.1.249 and source port is 4899 and destination port is range 1024-65535 should be accepted.

3: nat all packets coming in eth1 with tcp proto and source port 1024-65535 and going to 114.143.28.204:4899, nat them all to 192.168.1.249.

you had given me good explanation,thanks for the reply now i want to ask you what is the POSTROUTING & PREROUTING

iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 1024:65535 -d 192.168.1.249 --dport 4899 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp ! --syn -s 192.168.1.249 --sport 4899 --dport 1024:65535 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --sport 1024:65535 -d 114.143.28.204 --dport 4899 -j DNAT --to-destination 192.168.1.249


as you can see in the above iptables rules it is used PREROUTING why we used PREROUTING can we used POSTROUTING in the above rule.

Regards

Satish

I believe that dnat is made in prerouting in order to allow routing decisions to be made correctly.

==============in
============prerouting
=========routing-decision
=======input
====local-process======forward
======output
==========routing-decision
===========postrouting
==============out

You should know the destination when you decide where you route the packet. Look at this diagram here: http://www.frozentux.net/iptables-tu...ERSINGOFTABLES (scroll down). You can't understand iptables without it. http://www.frozentux.net/documents/iptables-tutorial/

Thanks for the reply you had given me good explnation and the link for the iptables book

Regrads

Satish