Re: [Fwd: Server machines behind Firewall]

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: [Fwd: Server machines behind Firewall]
Date: Fri, 7 Jan 2005 10:27:55 -0500	[thread overview]
Message-ID: <20050107152755.GA49@bender.817west.com> (raw)
In-Reply-To: <41DEA59E.F63D5C97@ita.org.mo>

On Fri, Jan 07, 2005 at 11:07:10PM +0800, edwardspl@ita.org.mo wrote:
> > EXT_IF="eth0"
> > INT_IF="eth1"
> > SRV1="10.1.1.10"
> >
> > iptables -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 80 \
> > ? -j DNAT --to-destination $SRV1
> 
> I want to know why needn't to define the original IP ( Public IP ) ?
> eg :
> 
> iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -s 202.175.xxx.xxx --dport
> 80 \
> ? -j DNAT --to-destination 192.168.xxx.xxx

you can; if the original, public IP is different from the firewall's
external IP.  if you want specify the original DESTINATION of the
packet, you would use "-d" not "-s" like so:

  iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -d $PUB_IP \
    --dport 80 -j DNAT --to-destination $SRV1

> Sorry, what useful about the following function ( command line ) ?
> 
> > iptables -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --syn -d $SRV1 \
> > ? --dport 80 -j ACCEPT

um--it allows the packet through the FORWARD chain of the filter table.
remember--you're trying to build a firewall here.

> In additional, if I want to setup a NAT ( 192.168.101.0/24 ) with a Server
> machines ( 192.168.100.1 ) behind Firewall...
> So, is there more than one sample ( nat scripts ) for reference ?

go read everything linked from the netfilter home page in the docs
section:

  http://netfilter.org/documentation/index.html

-j

--
"Dear Mr. President, there are too many states nowadays, please
 eliminate three. I am not a crackpot."
        --The Simpsons

next prev parent reply	other threads:[~2005-01-07 15:27 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-07 15:07 [Fwd: Server machines behind Firewall] edwardspl
2005-01-07 15:27 ` Jason Opperisano [this message]
2005-01-07 15:45   ` edwardspl
2005-01-07 15:43     ` Jason Opperisano
2005-01-07 21:09     ` R. DuFresne
2005-01-08  4:39       ` edwardspl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050107152755.GA49@bender.817west.com \
    --to=opie@817west.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.