[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

FW: FW: port forwarding unsin iptables



well someone should hit me over the head with a tack hammer.

i managed to got your posts (didnt know that there are archives!) and your
explanation was helpful. i strugled for the past 3hrs messin with diff rules
with no luck. then i noticed this line at the bottom of POSTROUTING rules.

#/sbin/iptables -t nat -A POSTROUTING -o $INTIF -j SNAT --to $INTIP

i had no idea why it was there, or when i wrote it, but it seemed strange
and i rememberd what you had said about a PRE rule also usin POST rules.
well i uncommented it and bingo, all my existing rules held up.

thanks for all the assistance, i am still confused reguarding the grand
scope
of ipchains, but hopefully understanding will come with time, and problems
to solve. =)

thanks again,

mike

-----Original Message-----
From: Steve Bowman [mailto:sbowman@frostwork.net]
Sent: Monday, August 14, 2000 6:46 PM
To: michael a. hacker
Cc: debian-firewall@lists.debian.org
Subject: Re: FW: port forwarding unsin iptables


On Tue, Aug 15, 2000 at 04:20:44AM -0400, michael a. hacker wrote:
> well i appologize if anyone replied (hopefully) but my school decided to
> nuke my e-mail server without informing anyone (thats what i get for going
> to a state school). all the mail i had on that account is lost in
> format-land.
> well needless to say i am still having this problem and i would really
like
> to figure it out.. any help would be appreciated.
>
> mike
>

I sent you a couple of responses (A big one and a correction) - I was
wondering why they bounced.  See the debian-firewall archive for 8/11
or write me directly and I'll resend them off-list.

A clarification to my previous correction:

In my original post (of 8/11, not the very first one some days earlier),
I was thinking of outbound connections initiated by the host in question.
In this restricted case, no -d flag is needed unless you are multi-homed.
Having the -d flag in a DNAT rule doesn't affect outgoing connections
which are initiated by the host in question, and is therefore not needed
in this case, because different chains are traversed (i.e., PREROUTING
is not traversed).

However, in the "correction post", I was thinking of a firewall
configuration where connections are originated by hosts behind the
firewall.  In this more general case the -d flag is needed to prevent
rerouting those connection attempts from the outside world to your
internal servers.

--
Steve Bowman  <sbowman@frostwork.net> (preferred)
Buckeye, AZ   <sbowman@goodnet.com> <bowmanc@acm.org>
              <http://www.goodnet.com/~sbowman/>

Powered by Debian GNU/Linux <http://www.debian.org>


--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org



Reply to: