* How to simplify iptables rules
@ 2006-09-20 14:19 Mindaugas
0 siblings, 0 replies; only message in thread
From: Mindaugas @ 2006-09-20 14:19 UTC (permalink / raw)
To: netfilter
Hello,
How to configure restrictive NAT firewall with different rules?
For example I want to NAT packets from net 10.0.0.0/8 to tcp ports 25 and
80. Also I want to NAT packets from host 192.168.1.1.
Now I understand that I need the following rules:
iptables -A FORWARD -s 10.0.0.0/8 -i eth0 -o eth1 -m multiport --dports
25,80 -j ACCEPT
iptables -A FORWARD -d 10.0.0.0/8 -i eth1 -o eth0 -m multiport --sports
25,80 -j ACCEPT
iptables -A FORWARD -s 192.168.1.1 -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -d 192.168.1.1 -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -j DROP
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth1 -m multiport --dports
25,80 -j SNAT --to-source=1.1.1.1
iptables -t nat -A POSTROUTING -s 192.168.1.1 -o eth1 -j
SNAT --to-source=2.2.2.2
So there are 3 rules for every host - forward out, forward back in, NAT.
Maybe it is possible to simplify rules? E.g. will this work for forwarding
packets back:
-A FORWARD -i eth1 -o eth0 -m conntrack --ctstate SNAT -j ACCEPT
If I would have simple SNAT I then could also mark packets in PREROUTING
and simply let marked packets to forward and SNAT. But as one can notice I
need to SNAT them to different source addresses.
Thanks,
Mindaugas
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2006-09-20 14:19 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-20 14:19 How to simplify iptables rules Mindaugas
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.