[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Opening :80 through a NATing iptables firewall.



* Roger Keays (s354157@student.uq.edu.au) [010928 18:18]:
> 
> Robb,
> 
> I have these rules in my /etc/init.d/firewall script:
> 
> # accept packets on port 80
> /sbin/iptables -A INPUT -j ACCEPT -p tcp -i $externint \
>                         -d $externip --dport http
> 
> # rewrite their destination
> /sbin/iptables -t nat -A PREROUTING -p tcp -d $externip --dport http \
>                         -j DNAT --to $webserver:80
> 
> # I believe the new packet will pass through the forward chain too
> # Is this correct?
> /sbin/iptables -P FORWARD ACCEPT
> 
> # If you want to use the external address to access the web server from an
> # _internal_ machine, you need to trick the server into thinking the
> # request is coming from the firewall...
> # ($localip is the firewalls local ip address)
> /sbin/iptables -t nat -I POSTROUTING -d $webserver -s $localnet -p tcp \
>                         -j SNAT --to $localip
> 
> # Allow all packets to LAN
> /sbin/iptables -A OUTPUT -j ACCEPT -o $localint \
> 	                -s $localnet -d $localnet
> 
> 
> I don't remember the details... will these packets pass through the input,
> forwards _and_ output chains?

No, that's how it was for ipchains, but not under the 2.4 series
kernel's netfilter system. It looks kinda like this:

PREROUTING                OUTPUT-------------+
    |                                        |
    v                                        v
(routing decision)------->FORWARD------->(routing decision)--+
|                                            |               |
|                                            |               v
+->INPUT<------------------------------------+           POSTROUTING

locally generated packets start at OUTPUT, and only packets routed to
this host go through INPUT. 

See Rusty's guide at

http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc-6.html

for more detailed info.

-- 
Vineet                                   http://www.anti-dmca.org
Unauthorized use of this .sig may constitute violation of US law.
echo Qba\'g gernq ba zr\!             |tr 'a-zA-Z' 'n-za-mN-ZA-M'

Attachment: pgpGntu2rR31E.pgp
Description: PGP signature


Reply to: