Re: iptables filtering rules
i'm in the middle of switching from ipchains to iptables right now and i
haven't tested my DNAT rules yet, but from what i understand, packets
pass through the FORWARD chain in the filter table after the PREROUTING
chain in the nat table.
see the second paragraph here:
http://netfilter.samba.org/documentation/HOWTO//packet-filtering-HOWTO-9.html
xn
On Mon, Mar 25, 2002 at 10:46:45PM +0100, Andras GALAMBOSI wrote:
> Hello all,
>
> sorry to disturb you with this silly question. I am sure, that it is obvius
> to all list members (except me ;)
>
> scenario: intranet (10.10.1.x) with win clients (NT & 2k), gateway (Debian
> GNU/Linux potato with kernel 2.4.18 + iptables). NAT is used for requests
> from intranet to Internet. this works fine. Web & mailserver is behind the
> firewall, so I needed to set up portforwarding. dnat is used for this. this
> works fine.
> as the webserver is an ii$, I am sure, that some firewall rules must be set
> up for these two ports. The access.log shows, that is a MUST:
> GET /scripts/root.exe?/c+dir HTTP/1.0
> GET /MSADC/root.exe?/c+dir HTTP/1.0
> GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
> ... so on... I'm sure, that it's just a script kiddie, but, on the other
> hand, it's just m$ product.
>
> Q: how to set up filtering rules, if a PREROUTING dnat rule has been set up
> before? the packet never comes to the INPUT. nor to the FORWARD, doesn't it?
> I really do not want to set up another firewall onto that win2k server.
>
>
> TIA,
> gaan
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: