Re: port forward with the ipmasq package and Iptables

[Tarragon Allen <tarragon@onthe.net.au>]

On Wednesday 30 April 2003 10:41, Tom Goulet (UID0) wrote:
> > How do I forward port a port on the external IP to the same port on an
> > internal IP?  I am using the ipmasq package and Iptables.  I'm willing
> > to abandon the ipmasq package.
>
> Create the file /etc/ipmasq/rules/F10portfw.rul or some similar name (I
> think it just needs to begin with "F") and put something similar to the
> below inside it:
>
> EXTIF=eth1
> INTIF=eth0
> EXTIP=192.0.0.37
> PRINTERIP=192.168.0.10
>
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 515 -m state \
>         --state NEW,ESTABLISHED,RELATED -j ACCEPT

Just a nitpick, but in general practice you want to limit this to just your 
destination IP, otherwise you'll potentially be opening yourself up to 
spoofed packets, depending on what else is going on in your firewall. 

Actually, breaking this up into two seperate rules (one only accepting --state 
NEW on the destination for that port, and another accepting --state 
ESTABLISHED,RELATED for all connections/protocols) is a better approach.

t
-- 
GPG: http://n12turbo.com/tarragon/public.key