well someone should hit me over the head with a tack hammer. i managed to got your posts (didnt know that there are archives!) and your explanation was helpful. i strugled for the past 3hrs messin with diff rules with no luck. then i noticed this line at the bottom of POSTROUTING rules.
#/sbin/iptables -t nat -A POSTROUTING -o $INTIF -j SNAT --to $INTIP i had no idea why it was there, or when i wrote it, but it seemed strange and i rememberd what you had said about a PRE rule also usin POST rules. well i uncommented it and bingo, all my existing rules held up. thanks for all the assistance, i am still confused reguarding the grand scope of ipchains, but hopefully understanding will come with time, and problems to solve. =) thanks again, mike -----Original Message----- From: Steve Bowman [mailto:[EMAIL PROTECTED] Sent: Monday, August 14, 2000 6:46 PM To: michael a. hacker Cc: [email protected] Subject: Re: FW: port forwarding unsin iptables On Tue, Aug 15, 2000 at 04:20:44AM -0400, michael a. hacker wrote: > well i appologize if anyone replied (hopefully) but my school decided to > nuke my e-mail server without informing anyone (thats what i get for going > to a state school). all the mail i had on that account is lost in > format-land. > well needless to say i am still having this problem and i would really like > to figure it out.. any help would be appreciated. > > mike > I sent you a couple of responses (A big one and a correction) - I was wondering why they bounced. See the debian-firewall archive for 8/11 or write me directly and I'll resend them off-list. A clarification to my previous correction: In my original post (of 8/11, not the very first one some days earlier), I was thinking of outbound connections initiated by the host in question. In this restricted case, no -d flag is needed unless you are multi-homed. Having the -d flag in a DNAT rule doesn't affect outgoing connections which are initiated by the host in question, and is therefore not needed in this case, because different chains are traversed (i.e., PREROUTING is not traversed). However, in the "correction post", I was thinking of a firewall configuration where connections are originated by hosts behind the firewall. In this more general case the -d flag is needed to prevent rerouting those connection attempts from the outside world to your internal servers. -- Steve Bowman <[EMAIL PROTECTED]> (preferred) Buckeye, AZ <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <http://www.goodnet.com/~sbowman/> Powered by Debian GNU/Linux <http://www.debian.org> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
