Re: Iptables config

To: Marcin Bednarz <mbednarz@student.uci.agh.edu.pl>
Cc: Lars Roland Kristiansen <m00lrk@math.ku.dk>, Debian-security@lists.debian.org
Subject: Re: Iptables config
From: Mathias Palm <Mathias.Palm@gmx.net>
Date: Mon, 15 Apr 2002 20:13:50 +0200
Message-id: <[🔎] 20020415181350.GB458@Osterstein>
In-reply-to: <[🔎] Pine.GSO.4.44.0204140907030.6819-100000@student.uci.agh.edu.pl>
References: <[🔎] Pine.GSO.4.44.0204121128150.18154-100000@student.uci.agh.edu.pl> <[🔎] Pine.GSO.4.44.0204140907030.6819-100000@student.uci.agh.edu.pl>

I'd say it might very well work correctly, but the table nat is not
made for package filtering but for address translation
(nat--network address translation) which is used for masquerading and
portforwarding. If you only want a filtering firewall you might very well
save yourself the effort to compile the nat modules and so on.

It might become a problem, when you have a more complicated firewall setup, where
you want to reject every package aiming at the firewall, but snat or masq an
internal network. You can read about this (at least to understand the
principles) in the Firewall- and Masquerading-HOWTOS which are part of debian. 

It is problably the same question why nobody uses vi to read postscript
documents when gs is available. It might work, but it is cumbersome. (Sorry
if I get polemic.)

Mathias

On Sun, Apr 14, 2002 at 09:11:55AM +0200, Marcin Bednarz wrote:
> 
> Hello.
> 
> I wrote :
> 
> >
> > # change of politics to drop
> > iptables -t nat -P PREROUTING DROP
> > iptables -t nat -P POSTROUTING DROP
> >
> > #add ssh serwer (allow incoming)
> > iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 22 -j ACCEPT
> >
> > #add pop3 and imap
> > iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 110 -j ACCEPT
> > iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 143 -j ACCEPT
> >
> > iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 110 -j ACCEPT
> > iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port 143 -j ACCEPT
> >
> > iptables -t nat -A POSTROUTING -s $yourPublicIP -j ACCEPT
> >
> > # are you want to alow ping you machine ? (I dont know if postfix require it)
> > iptables -t nat -A PREROUTING  -d $yourPublicIP -p icmp -j ACCEPT
> > iptables -t nat -A POSTROUTING  -s $yourPublicIP -p icmp -j ACCEPT
> 
> and ...
> #SMTP
> iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 25  -j ACCEPT
> 
> 
> Why it is not correct ?
> Why you use filter table, not nat ?
> I am beginner so please help me if I don't understand anything.
> 
> Jakub S.
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Re: Iptables config
  - From: Marcin Bednarz <mbednarz@student.uci.agh.edu.pl>
- Re: Iptables config
  - From: Marcin Bednarz <mbednarz@student.uci.agh.edu.pl>

Prev by Date: Re: Iptables config - new
Next by Date: Re: Iptables config - new
Previous by thread: Re: Iptables config
Next by thread: RE: Iptables config
Index(es):
- Date
- Thread