From: "Chris Partsenidis" <Chris@globetechsolutions.com>
To: netfilter@lists.netfilter.org
Subject: Understanding the Forward and Postrouting chain
Date: Tue, 15 Apr 2003 12:52:04 +0300 [thread overview]
Message-ID: <PFEDLCHOEGFHBPOGGFGBGEMCCAAA.Chris@globetechsolutions.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 1259 bytes --]
Greetings everyone,
While building a complex set a rules for my firewall I have stumbbled
accross a few problems and would like to know if there is anyone to help me
clear a few things in my mind.
If I was to set the Forward chain default policy to DROP, what rules would I
be required to enter in order to allow e.g my internal network hosts to
telnet anywhere on the internet ?
For example take this setup:
LAN -----------------FIREWALL------------------------ Internet
192.168.1.0/24 public ip: 200.0.0.1
In this simple setup, my guess is that Im required to create 3 rules for the
telnet to work.
One for the packets travelling from the Lan to the firewall, one for the
oppisite (internet to the firewall) and then one more
for the postrouting chain to masquerade the packets. Here is what I've done:
1) iptables -P FORWARD DROP
2) iptables -A FORWARD -s 192.168.1.0/24 -p tcp -d 0/0 --dport 23 -j ACCEPT
3) iptables -A FORWARD -p tcp -s 0/0 --sport 23 -d 200.0.0.1 -j ACCEPT
4) iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -p tcp -d 0/0 --dport 23
-j MASQUERADE
Would this be correct, and if not, can you please explain why. I'm not to
sure if loading ip_conntrack would eliminate the need for rule no. 3.
Regards,
Chris Partsenidis
[-- Attachment #2: winmail.dat --]
[-- Type: application/ms-tnef, Size: 2308 bytes --]
next reply other threads:[~2003-04-15 9:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-04-15 9:52 Chris Partsenidis [this message]
2003-04-15 10:05 ` Understanding the Forward and Postrouting chain Raymond Leach
2003-04-15 12:04 ` Bridge + mangling; any similar experiences? Scott MacKay
2003-04-15 13:23 ` Understanding the Forward and Postrouting chain Joel Newkirk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=PFEDLCHOEGFHBPOGGFGBGEMCCAAA.Chris@globetechsolutions.com \
--to=chris@globetechsolutions.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.