Ross Goble a écrit :
I've got a firewall script (modded TrinityOS Firewall) that port
forwards just fine with the inclusion of the following 2 lines
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d 10.121.128.98 --dport
411 -j DNAT --to 192.168.0.2:80
$IPTABLES -A FORWARD -p tcp -i eth0 -d 192.168.0.4 --dport 411 -j ACCEPT
I wonder how this can work. The destination address and port in the two
rules don't match each other.
DNAT to : 192.168.0.2:80
FORWARD : 192.168.0.4:411
Here's the guts of the script...
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo
echo -e " - Allowing EXTERNAL access to the WWW server"
echo
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p
tcp -s $UNIVERSE -d $UNIVERSE --dport 80 -j ACCEPT
The INPUT default policy is already set to ACCEPT, so what's the use of
this rule ? Besides, valid HTTP packets cannot be in the RELATED state
but ony NEW or ESTABLISHED.
#echo
echo -e " - Allowing EXTERNAL access to the FTP server"
echo
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p
tcp -s $UNIVERSE -d $UNIVERSE --dport 20 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p
tcp -s $UNIVERSE -d $UNIVERSE --dport 21 -j ACCEPT
Same question and comment as above. Valid FTP packets with destination
port 20 cannot be in the NEW or RELATED state but only ESTABLISHED, and
valid FTP packets with destination port 21 cannot be in the RELATED
state but only NEW or ESTABLISHED.
echo -e " - Allowing EXTERNAL access to the SSH server"
echo
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p
tcp -s $UNIVERSE -d $UNIVERSE --dport 22 -j ACCEPT
Same question and comment as above. Valid SSH packets cannot be in the
RELATED state.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
