Re: IPTables routing - Ralf Spenneberg

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Ralf Spenneberg <lists@spenneberg.org>
To: mailinglist@plobe.com
Cc: Netfilter <netfilter@lists.netfilter.org>
Subject: Re: IPTables routing
Date: 29 Nov 2003 09:38:34 +0100	[thread overview]
Message-ID: <1070095114.1657.17.camel@kermit> (raw)
In-Reply-To: <35733.141.150.249.168.1070044358.squirrel@mail.plobe.com>

Am Fre, 2003-11-28 um 19.32 schrieb mailinglist@plobe.com:
> I have a network which has a gateway wwith iptables on it.  I want
> iptables to send all data bound for a external server (Ex. server.com or
> 20.20.20.20) to a third server (server_mirror.com).  So iptables needs to
> rewrite the header on every packet bound for the intended server
> (server.com) so that the packets get routed to the third server
> (server_mirror.com).
This is easy. You just do DNAT in PREROUTING.

>   Also, the third server and person making the request
> are making a socket connection that sends data two ways.
Is this an additional connection? Which end will initiate the
connection? If it is the client(person) and you know the used ports, it
is easy (see above).
If you do not know the ports and the client initiates the connection, it
is easy but somehow unsafe.
If the server initiates the connection it becomes even more unsafe.
If you do not know the server (any server on the internet) it is
completely unsafe unless you write a conntrack_helper module for
iptables (C-hacking).

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: VPN mit Linux
Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

     prev parent reply	other threads:[~2003-11-29  8:38 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-11-28 18:32 IPTables routing mailinglist
2003-11-28 18:52 ` Antony Stone
2003-11-29  8:38 ` Ralf Spenneberg [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1070095114.1657.17.camel@kermit \
    --to=lists@spenneberg.org \
    --cc=mailinglist@plobe.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox