I've got a firewall script (modded TrinityOS Firewall) that port
forwards just fine with the inclusion of the following 2 lines
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d 10.121.128.98
--dport 411 -j DNAT --to 192.168.0.2:80
$IPTABLES -A FORWARD -p tcp -i eth0 -d 192.168.0.4 --dport 411 -j
ACCEPT
I wonder how this can work. The destination address and port in the
two rules don't match each other.
DNAT to : 192.168.0.2:80
FORWARD : 192.168.0.4:411
Yeah, noticed that right after posting - duh! Funny thing is that it
works :-/
Should be:-
DNAT to : 192.168.0.4:411
FORWARD : 192.168.0.4:411
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo
echo -e " - Allowing EXTERNAL access to the WWW server"
echo
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED
-p tcp -s $UNIVERSE -d $UNIVERSE --dport 80 -j ACCEPT
The INPUT default policy is already set to ACCEPT, so what's the use
of this rule ? Besides, valid HTTP packets cannot be in the RELATED
state but ony NEW or ESTABLISHED.
Umm, "$IPTABLES -F INPUT"; "$IPTABLES -P INPUT ACCEPT" would seem
superfluous I grant. As in my first post I modded a TrinityOS firewall,
that's how it came and it works just fine.
BTW, the servers on ports 20 21 22 & 80 are all on the firewall box.
Regards
Ross
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
