[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Validating NT thought a natting firewall

I think you have this backwards, are you talking about --to-source or
--source?  I'm also wondering why not just use proxy-arp(setup with the
arp cmd) and setup the internal IPs tobe what the external IPs are?  This
way the router can focus on fierwalling trafic and not needing todo any

You should be using...
iptable $OTHEROPTS -i eth<to world> --destination <IP.ext> DNAT
--to-destination <IP.int>

iptable $OTHEROPTS -o eth<to world> --source <IP.int> SNAT --to-source

Then use "-t filter -? FORWARD" to setup all your allow/deny/drop rules. 
Also don't forget to use "-m state NEW" and "-m state ESTABLISHED/RELATED"
for conection traking to take effect(so I'm told).

--- Leonardo Boselli <leo@dicea.unifi.it> wrote:
> On Wed, 26 May 2004, Mike Mestnik wrote:
> > K, use "iptabels -nvLt nat" too see what rules are being used.  Also
> use
> > tcpdump or iptaf to see what traffic is not getting passed.
> no rules added . the only odd thing (but this is wanted) is that DNAT
> require source to be in a.b.c.0/24 while SNAT require destination to be
> anything. *so i can access into the hosts only fronm localnet, while thy
> can start connections to every host in the net).
> PDC and BDC are a.b.c.11 .13. 15. .17 .19 !
> PS: GW uses kernel 2.4.26 , not 2.4.25

Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.

Reply to: