Re: Port forwarding doesn't work.

[Herman <Herman@AerospaceSoftware.com>]

On Monday 13 October 2003 2:09 pm, Arnt Karlsen wrote:

   ..you don't need to specify interface nor protocol or ports other
   than possibly to make data for the nice graphs.  KISS:   ;-)

   # Accept everyting connected
   /sbin/iptables -A INPUT   -m state --state ESTABLISHED,RELATED \
   -j ACCEPT
   /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
   -j ACCEPT

Wow, that is far more simple than anything I ever saw in any howto.  I like it 
and I'll sure try it.

I currently have this input rule:
# Allow any related traffic coming back to the MASQ server in
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
 ESTABLISHED,RELATED -j ACCEPT

and these forward rules:
echo "     - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED 
\
 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

My snat masquerade rule looks like this:
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

Your suggestions will simplify these rules nicely.


The problem is that I'm not quite sure how the Java applet thing works - 
whether the connection is established from the inside, or whether the gov 
server starts it up from the outside, after the initial http connection - 
they may be doing that for some security reason.  If it is the latter, then 
the established,related rules won't work and explicit port forwarding rules 
would be required.  To add to my woes, the gov server is down for maintenance 
at the moment, so I can't test it properly.

Thanks,
-- 
Herman Oosthuysen 
B.Eng(E), MIEEE
Aerospace Software Ltd.
Ph: 1.403.241-8773, Cell: 1.403.852-5545, Fx: 1.403.241-8841
Herman@AerospaceSoftware.com, http://www.AerospaceSoftware.com