* Roger Keays ([EMAIL PROTECTED]) [010928 18:18]: > > Robb, > > I have these rules in my /etc/init.d/firewall script: > > # accept packets on port 80 > /sbin/iptables -A INPUT -j ACCEPT -p tcp -i $externint \ > -d $externip --dport http > > # rewrite their destination > /sbin/iptables -t nat -A PREROUTING -p tcp -d $externip --dport http \ > -j DNAT --to $webserver:80 > > # I believe the new packet will pass through the forward chain too > # Is this correct? > /sbin/iptables -P FORWARD ACCEPT > > # If you want to use the external address to access the web server from an > # _internal_ machine, you need to trick the server into thinking the > # request is coming from the firewall... > # ($localip is the firewalls local ip address) > /sbin/iptables -t nat -I POSTROUTING -d $webserver -s $localnet -p tcp \ > -j SNAT --to $localip > > # Allow all packets to LAN > /sbin/iptables -A OUTPUT -j ACCEPT -o $localint \ > -s $localnet -d $localnet > > > I don't remember the details... will these packets pass through the input, > forwards _and_ output chains?
No, that's how it was for ipchains, but not under the 2.4 series
kernel's netfilter system. It looks kinda like this:
PREROUTING OUTPUT-------------+
| |
v v
(routing decision)------->FORWARD------->(routing decision)--+
| | |
| | v
+->INPUT<------------------------------------+ POSTROUTING
locally generated packets start at OUTPUT, and only packets routed to
this host go through INPUT.
See Rusty's guide at
http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc-6.html
for more detailed info.
--
Vineet http://www.anti-dmca.org
Unauthorized use of this .sig may constitute violation of US law.
echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'
pgpVgbH7IgBag.pgp
Description: PGP signature
