* Robb Kidd (rkidd@ncmec.org) [010928 10:18]: > Let me see if I've got this right. > With: > LANDEV="eth0" > INETDEV="eth1" > iptables -P FORWARD DROP > (obviously not my whole iptables setup, but what I hope is relevant) > > If I'm going to open port 80 and direct outside connections to an > internal box, I'll need: > > iptables -t nat -A PREROUTING -i $INETDEV -p tcp --dport 80 -j DNAT \ > --to-destination 192.168.1.10 > > ...but in addition to this, I'll need: > > iptables -A FORWARD -i $INETDEV -d 192.168.1.10 -j ACCEPT > > I was logging dropped packets with the 192.168.1.10 destination before I > added the above FORWARD entry and now it works. Is this the "right" way > to perform port forwarding? Is there a more optimal method? (Full > iptables script available, but I thought I'd not deluge the list yet.) Looks good to me, though I'd be surprised if it works without also adding this rule (which maybe you have but accidentally omitted when posting): iptables -A FORWARD -o $INETDEV -i $LANDEV -s 192.168.1.10 -j ACCEPT \ -m state --state ESTABLISHED,RELATED # if you don't have the ipt_state module (or built in to your kernel) # omit the second line of that rule or maybe you already had a more general rule allowing outbound traffic to be forwarded from your lan to the Internet, in which case you don't need to add anything and it should already be working. From my experience, though, you're doing things correctly! If there's a better way to do it, I've never seen it. -- Vineet http://www.anti-dmca.org Unauthorized use of this .sig may constitute violation of US law. echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'
Attachment:
pgpmIA3izVNfh.pgp
Description: PGP signature