From: "Rob Sterenborg" <rob@sterenborg.info>
To: netfilter@vger.kernel.org
Subject: RE: Question about nat filtering with FORWARD
Date: Wed, 24 Jun 2009 12:54:48 +0200 [thread overview]
Message-ID: <001d01c9f4ba$316a3c30$943eb490$@info> (raw)
In-Reply-To: <1072.192.168.1.3.1245839976.squirrel@webmail.decimal.pt>
> > You need to allow the return traffic also. This can be done with
> > connection tracking and the state match.
> >
> > /Oskar
> Forgive me, but i'm a bit confused in a gray area right now.
> With the PREROUTING it wasn't needed to add that and it worked, for
> this
> new scenario, i tried:
>
> #allow all (??)
> iptables -t filter -A FORWARD -j ALLOW
> #allow TCP PORT 22
> iptables -t filter -A FORWARD -p tcp --dport 22 -j ACCEPT # ssh
> #block everything else
> iptables -t filter -A FORWARD -j DROP
I think you want this:
$ipt -P FORWARD DROP
$ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -m state --state NEW -p tcp --dport 22 -j ACCEPT
- You don't need to specify "-t filter". It's the default table.
- All packets that are not explicitly allowed will be dropped in the
FORWARD chain (policy = DROP).
- Any reply packet in an established connection will be accepted using
"--state RELATED,ESTABLISHED". Actually, you don't need RELATED here,
but it doesn't hurt either and you do need it if you want to forward FTP
and such protocols.
- The first packet in a connection for port 22/tcp will be accepted.
(Any subsequent packets will be accepted by the previous rule.)
For more info, you might want to read (parts of) Oskar Andreasson's
IPTables Tutorial at:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
-- Rob
next prev parent reply other threads:[~2009-06-24 10:54 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-24 10:04 Question about nat filtering with FORWARD Jorge Bastos
2009-06-24 10:22 ` Oskar Berggren
2009-06-24 10:39 ` Jorge Bastos
2009-06-24 10:54 ` Rob Sterenborg [this message]
2009-06-24 11:20 ` Christoph Paasch
2009-06-24 11:24 ` Jorge Bastos
2009-06-24 11:47 ` Christoph Paasch
2009-06-24 15:06 ` Jorge Bastos
2009-06-24 15:26 ` Richard Horton
2009-06-24 15:45 ` Jorge Bastos
2009-06-24 16:00 ` Oskar Berggren
2009-06-24 18:10 ` Jorge Dávila
2009-06-24 19:40 ` Jorge Bastos
2009-06-24 20:35 ` lists
2009-06-24 11:56 ` Rob Sterenborg
2009-06-25 10:13 ` Pascal Hambourg
2009-06-25 10:18 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='001d01c9f4ba$316a3c30$943eb490$@info' \
--to=rob@sterenborg.info \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox