* S. Salman Ahmed ([EMAIL PROTECTED]) [010703 21:29]: > >>>>> "JB" == Jim Breton <[EMAIL PROTECTED]> writes: > JB> Nope, you still have to explicitly allow the packets to be > JB> forwarded. > JB> > > Still no go. I added the following rules to my earlier firewall setup: > > iptables -t nat -A PREROUTING -i eth0 -s SomeIpAddress \ > -p tcp -d MyIpAddress --dport 22 \ > -j DNAT --to 192.168.1.2 > > iptables -A FORWARD -i eth0 -s SomeIpAddress \ > -p tcp --dport 22 -j ACCEPT
add this to the 2 rules above and you should be set:
iptables -A FORWARD -o eth0 -s 192.168.1.2 -d SomeIpAddress \
-p tcp --sport 22 -j ACCEPT
I generally like to be as explicit as possible and include both
interfaces and both addresses in my FORWARD chain, i.e.
iptables -A FORWARD -i $EXT_IF -o $INT_IF -s $REMOTE_HOST -d $DMZ_HOST \
-p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i $INT_IF -o $EXT_IF -s $DMZ_HOST -d $REMOTE_HOST \
-p tcp --sport 22 -j ACCEPT
or, better, in place of that second rule:
iptables -m state -A FORWARD -i $INT_IF -o $EXT_IF \
-s $DMZ_HOST -d $REMOTE_HOST \
-p tcp --sport 22 --state ESTABLISHED,RELATED -j ACCEPT
I think by that example you'll see how these things work. See how with
your current setup the remote host can send packets to the DMZ_HOST
but reply packets would be dropped. You have to consider all the
traffic in all directions.
It would work if you change default policy to accept, but that's not a
good solution.
HTH,
Vineet
pgp6LBZKvgBV0.pgp
Description: PGP signature
