* Roger Keays (s354157@student.uq.edu.au) [010928 18:18]:
>
> Robb,
>
> I have these rules in my /etc/init.d/firewall script:
>
> # accept packets on port 80
> /sbin/iptables -A INPUT -j ACCEPT -p tcp -i $externint \
> -d $externip --dport http
>
> # rewrite their destination
> /sbin/iptables -t nat -A PREROUTING -p tcp -d $externip --dport http \
> -j DNAT --to $webserver:80
>
> # I believe the new packet will pass through the forward chain too
> # Is this correct?
> /sbin/iptables -P FORWARD ACCEPT
>
> # If you want to use the external address to access the web server from an
> # _internal_ machine, you need to trick the server into thinking the
> # request is coming from the firewall...
> # ($localip is the firewalls local ip address)
> /sbin/iptables -t nat -I POSTROUTING -d $webserver -s $localnet -p tcp \
> -j SNAT --to $localip
>
> # Allow all packets to LAN
> /sbin/iptables -A OUTPUT -j ACCEPT -o $localint \
> -s $localnet -d $localnet
>
>
> I don't remember the details... will these packets pass through the input,
> forwards _and_ output chains?
No, that's how it was for ipchains, but not under the 2.4 series
kernel's netfilter system. It looks kinda like this:
PREROUTING OUTPUT-------------+
| |
v v
(routing decision)------->FORWARD------->(routing decision)--+
| | |
| | v
+->INPUT<------------------------------------+ POSTROUTING
locally generated packets start at OUTPUT, and only packets routed to
this host go through INPUT.
See Rusty's guide at
http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc-6.html
for more detailed info.
--
Vineet http://www.anti-dmca.org
Unauthorized use of this .sig may constitute violation of US law.
echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'
Attachment:
pgpGntu2rR31E.pgp
Description: PGP signature