* Roger Keays (s354157@student.uq.edu.au) [010928 18:18]: > > Robb, > > I have these rules in my /etc/init.d/firewall script: > > # accept packets on port 80 > /sbin/iptables -A INPUT -j ACCEPT -p tcp -i $externint \ > -d $externip --dport http > > # rewrite their destination > /sbin/iptables -t nat -A PREROUTING -p tcp -d $externip --dport http \ > -j DNAT --to $webserver:80 > > # I believe the new packet will pass through the forward chain too > # Is this correct? > /sbin/iptables -P FORWARD ACCEPT > > # If you want to use the external address to access the web server from an > # _internal_ machine, you need to trick the server into thinking the > # request is coming from the firewall... > # ($localip is the firewalls local ip address) > /sbin/iptables -t nat -I POSTROUTING -d $webserver -s $localnet -p tcp \ > -j SNAT --to $localip > > # Allow all packets to LAN > /sbin/iptables -A OUTPUT -j ACCEPT -o $localint \ > -s $localnet -d $localnet > > > I don't remember the details... will these packets pass through the input, > forwards _and_ output chains? No, that's how it was for ipchains, but not under the 2.4 series kernel's netfilter system. It looks kinda like this: PREROUTING OUTPUT-------------+ | | v v (routing decision)------->FORWARD------->(routing decision)--+ | | | | | v +->INPUT<------------------------------------+ POSTROUTING locally generated packets start at OUTPUT, and only packets routed to this host go through INPUT. See Rusty's guide at http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc-6.html for more detailed info. -- Vineet http://www.anti-dmca.org Unauthorized use of this .sig may constitute violation of US law. echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'
Attachment:
pgpGntu2rR31E.pgp
Description: PGP signature