I'd say it might very well work correctly, but the table nat is not made for package filtering but for address translation (nat--network address translation) which is used for masquerading and portforwarding. If you only want a filtering firewall you might very well save yourself the effort to compile the nat modules and so on.
It might become a problem, when you have a more complicated firewall setup, where you want to reject every package aiming at the firewall, but snat or masq an internal network. You can read about this (at least to understand the principles) in the Firewall- and Masquerading-HOWTOS which are part of debian. It is problably the same question why nobody uses vi to read postscript documents when gs is available. It might work, but it is cumbersome. (Sorry if I get polemic.) Mathias On Sun, Apr 14, 2002 at 09:11:55AM +0200, Marcin Bednarz wrote: > > Hello. > > I wrote : > > > > > # change of politics to drop > > iptables -t nat -P PREROUTING DROP > > iptables -t nat -P POSTROUTING DROP > > > > #add ssh serwer (allow incoming) > > iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 22 > > -j ACCEPT > > > > #add pop3 and imap > > iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port > > 110 -j ACCEPT > > iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port > > 143 -j ACCEPT > > > > iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port > > 110 -j ACCEPT > > iptables -t nat -A PREROUTING -d $yourPublicIP -p udp --destination-port > > 143 -j ACCEPT > > > > iptables -t nat -A POSTROUTING -s $yourPublicIP -j ACCEPT > > > > # are you want to alow ping you machine ? (I dont know if postfix require > > it) > > iptables -t nat -A PREROUTING -d $yourPublicIP -p icmp -j ACCEPT > > iptables -t nat -A POSTROUTING -s $yourPublicIP -p icmp -j ACCEPT > > and ... > #SMTP > iptables -t nat -A PREROUTING -d $yourPublicIP -p tcp --destination-port 25 > -j ACCEPT > > > Why it is not correct ? > Why you use filter table, not nat ? > I am beginner so please help me if I don't understand anything. > > Jakub S. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
