On Tue, Jul 03, 2001 at 03:04:01AM -0500, S . Salman Ahmed wrote: > you mean something of the form: > > iptables -A FORWARD -i eth0 -p tcp -s <SomeIPAddress> --dport 22 -j DNAT > --to 192.168.1.2
Almost: iptables -A FORWARD -i eth0 -p tcp -s <SomeIPAddress> --dport 22 -j ACCEPT > I thought the earlier DNAT rule would take care of this ? Nope, you still have to explicitly allow the packets to be forwarded. > All the docs I > have seen on DNAT (including the netfilter HOWTO) _seem_ to imply that > one DNAT rule is enough to do this kind of port-forwarding. I just looked at the HOW-TO and indeed, it is not very clear that this needs to be done. The examples cited should probably be more thorough; however I think they are working on this, I seem to remember a call for example scripts and documentation help. > In my script, I first set the default policies on INPUT, OUTPUT and > FORWARD to ACCEPT. I later (ie towards the end of the script) set the > default policy on INPUT to DROP. Why go in circles? :) > If I change the default policy on > OUTPUT to DROP, will I will have to add a rule to specifically allow > outgoing packets from my 192.168.1.* local net ? No, those packets will never touch the OUTPUT chain, only the FORWARD chain. So you will have to allow them to be forwarded. > Also, what if I want to use a port number other than the standard port > 22 for SSH ie: > > port 1111 => port forward to InternalMachine1:22 > port 2222 => port forward to InternalMachine2:22 Do it exactly as you handle the port 22 setup. > Is there a convention to use/keep-in-mind when setting up sth like this > ? Hmm, after you do it a couple times you will get used to it. I suggest putting some LOG rules toward the end of your rule sets to log anything that escapes your other rules; then you can watch the logs and see what is happening if things don't go as you expected. -- Jim B. [EMAIL PROTECTED]
