Paul wrote: [...] > Now my forward cmd i have is just > > iptables -A FORWARD -p tcp --dport 22 -j ACCEPT and > it works fine, now any reason as to why you suggest to > make it > > $IPTABLES -A FORWARD -i $EXTDEV -o $INTDEV -d > 192.168.1.8 --dport 22 -j ACCEPT > > is it for security reasons or some other thing?
Yes, pretty much security. If the external network had stuffed routing, it might be possible to convince your router to pass along port 22 packets to some other internal machine. Although with your setup, the -i and -o might be redundant. I would keep the -d switch though. > Also how would i go by to make it so it would also > work from the internal network, because i do plan on > getting a web server running as well which would just > be > > iptables -t nat -A PREROUTING -p tcp -d $EXTIP --dport > 80 -j DNAT --to 192.168.1.8:80 > iptables -A FORWARD -p tcp --dport 80 -j ACCEPT > > But i would like it so i could view the website > internally as well, and not quite sure how to go about > that, because i know its just prerouting stuff from > the external network, not internal one I'm not sure what you mean here. Do you want to visit http://$EXTIP from within the LAN and have packets end up at 192.168.1.8? This causes some problems if you try, because the packet gets to the internal web server just fine, but when it responds, it wants to reply directly to the client which will discard it as an unsolicited packet. I'll try to illustrate: client's request: client -> firewall (translate address) -> server server's response: server -> client (address doesn't get translated) There are a couple nicer ways to do this: you could just view the site as its own address internally, you could use a web proxy (transparent or otherwise) on the firewall, or you could play with DNS to give different ip addresses for the web server depending on who's requesting it. An even uglier way to do it would be to take away the web server's LAN route, so it only sent packets to the firewall :) Of course, I haven't dealt with this myself, so there are probably other solutions I don't know about. Jason
