PREROUTING vs INPUT&FORWARD v iptables

[Jan Sembera]

>> ...
>> This table should only be used for NAT (Network Address Translation) on
>> different packets... Note that, as we have said before, only the first 
>> packet in a stream will hit this chain. After this, the rest of the 
>> packets will automatically have the same action taken on them as the 
>> first packet
>> ...
> Well, ted uz to dava smysl. Totiz "first packet in a stream" nemusi 
> notne byt SYN paket. Asi je tim myslen prvni paket v "baliku" (okne, 
> davce). pro ostatni pakety pak plati stejna pravidla, jako pro prvni 
> paket (ohledne prekladu adres), coz je logicke ..... (NAT).
Jedna se skutecne pouze o prvni packet spojeni (SYN), mozna jeste k nemu
odpovidajici ACK, ale rozhodne to je vsechno. Protoze se v pripade NATu
uplatnuje stateful, jedna se o state NEW. Packety v jinych stavech vubec
tablou nat neprochazi, jsou natovany v ramci connection trackingu, protoze
jakmile natujete jeden packet, je logicke, ze budete natovat celou tu
konekci a neni duvod overovat znovu. TCP window s tim nema vubec co delat.

-- 
Jan Sembera