In Watchguard's Firebox system, there is a term
called 1-to-1 NAT, a new one to me. This is used in reference to a packet
filtering router protecting a DMZ from the WWW. Its principle is the same
applied to achieve my "virtual host."
iptables
-A PREROUTING -t nat -d 10.20.0.4 -j DNAT --to
192.168.168.2
iptables -A POSTROUTING
-t nat -d 192.168.168.2 -j SNAT --to 10.20.0.4
Now I want to enable certain ports (for instance,
22 and 80) and deny everything else.
When is the appropriate time to add protocol
filters, before or after these two lines? And what would they look
like?
192.168.168.2 is a Linksys WAP11 behind the
firewall
10.20.0.4 is a Virtual IP on the external interface
(which is already firewalled down the line).
Thanks!
-Ryan Beisner