NAT+FORWARD

NAT+FORWARD

[Paulo Andre]

I just need some clarification please.

Take for example the following two rules:

iptables -t nat -A PREROUTING -i $ext_card -s $client_IP -d $my_ext_ip -p tcp 
--dport 80 -j DNAT --to $int_web_IP:80
iptables -A FORWARD -i $ext_card -d $int_web-IP -p tcp --dport 80 -j ACCEPT

According to my thinking the above rule would be unsafe as the source was not 
specified on the FORWARD rule. As the would allow anyone using the firewall 
as a gateway to have access to $int_web_IP on port 80. Is that correct?

Paulo

Re: NAT+FORWARD

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 964 bytes --]

On Wed, 2004-05-05 at 12:09, Paulo Andre wrote:
> I just need some clarification please.
> 
> Take for example the following two rules:
> 
> iptables -t nat -A PREROUTING -i $ext_card -s $client_IP -d $my_ext_ip -p tcp 
> --dport 80 -j DNAT --to $int_web_IP:80
> iptables -A FORWARD -i $ext_card -d $int_web-IP -p tcp --dport 80 -j ACCEPT
> 
> According to my thinking the above rule would be unsafe as the source was not 
> specified on the FORWARD rule. As the would allow anyone using the firewall 
> as a gateway to have access to $int_web_IP on port 80. Is that correct?
> 
Assuming their traffic passes the prerouting rules and the $int_web-IP
is routable for them, yes.

> Paulo
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]