From: Dimitri Yioulos <dyioulos@firstbhph.com>
To: netfilter@lists.netfilter.org
Subject: Re: Port forwarding question
Date: Thu, 21 Sep 2006 17:23:30 -0400 [thread overview]
Message-ID: <200609211723.31082.dyioulos@firstbhph.com> (raw)
In-Reply-To: <451300B6.2050902@rtij.nl>
On Thursday September 21 2006 5:14 pm, you wrote:
> Dimitri Yioulos wrote:
> >On Thursday September 21 2006 4:25 pm, you wrote:
> >>Greetings,
> >>
> >>Dimitri Yioulos wrote:
> >>>Noob, question:
> >>>
> >>>I want to allow a vendor to access a piece of equipment on our
> >>>LAN (192.168.100.46) through port 4000 from outside via a server
> >>>in our DMZ (www.xxx.yyy.zzz). While I should know how to do
> >>>this, I'm not 100% sure. Can someone help?
> >>
> >>DNAT.
> >>
> >>for example:
> >>iptables -t nat -A PREROUTING -d www.xxx.yyy.zzz -i eth1 -p tcp
> >>--dport 4000 -j
> >>DNAT --to 192.168.100.46
> >
> >eth1 being the DMZ iface?
>
> No, your Internet interface.
>
> This rule says: if destination is www.xxx.yyy.zzz and it comes in
> through eth1 and it's tcp and it's on port 4000, then DNAT to the
> internal server. Obviously, if the packet comes from the vendor, it
> must come from the Internet, so the interface in -i must be your
> Internet interface.
>
> You could leave this out, but that opens up all kind of nastiness
> if you access this port on www.xxx.yyy.zzz from your DMZ (the
> return packets will go straight to your client in the DMZ, will not
> go through your firwall so will not be de-DNATted. Your client will
> get confused as it gets packets from somewhere it's not expecting
> them. In short, it will not work). You could replace that -i with
> "! -i $DMZ_IF", meaning if it comes in from any interface but the
> DMZ interface. Then you can access it from any interface (read your
> internal interface) other than your DMZ interface.
>
> HTH,
> M4
Stupid me. Of course it's the inet interface. And, I appreciate the
explanation.
Many, many thanks to all for you help!
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
next prev parent reply other threads:[~2006-09-21 21:23 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-21 19:55 Port forwarding question Dimitri Yioulos
2006-09-21 20:23 ` Martijn Lievaart
2006-09-21 20:25 ` Mr Ritter
2006-09-21 20:32 ` Mr. Ritter
2006-09-21 20:53 ` Dimitri Yioulos
2006-09-21 21:14 ` Martijn Lievaart
2006-09-21 21:23 ` Dimitri Yioulos [this message]
-- strict thread matches above, loose matches on Subject: below --
2007-04-30 17:37 David
2007-05-02 12:00 ` Elvir Kuric
2008-03-17 16:26 port " Phil Sutter
2008-03-17 18:13 ` Jan Engelhardt
2008-03-17 18:32 ` Cloves Pereira Costa Jr
2008-03-17 20:01 ` Andrew Schulman
2008-03-18 16:36 ` Jan Engelhardt
2009-05-06 18:25 Port Forwarding Question Aaron Clausen
2009-05-08 15:57 ` Michele Petrazzo - Unipex
[not found] ` <8ec0428d0905171444q4e8a75dj6e60bfbab93bc75d@mail.gmail.com>
2009-05-17 21:54 ` Aaron Clausen
2009-05-18 7:03 ` Покотиленко Костик
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200609211723.31082.dyioulos@firstbhph.com \
--to=dyioulos@firstbhph.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox