Good day. I want to make a well closed machine running vservers - that is I want to make such a forwarding that any communications will be off the machine (for the security reasons) - but only affecting those in vserver.
Thus far I have on real machine: *filter :INPUT ACCEPT :FORWARD DROP :OUTPUT ACCEPT -A FORWARD -p tcp -m tcp -m --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -i eth0 -p tcp -m tcp -d 192.168.1.1 --dport 80 -j ACCEPT COMMIT *nat :PREROUTING ACCEPT :POSTROUTING ACCEPT -F -F POSTROUTING -A POSTROUTING -o eth0 -j SNAT --to-source=192.168.0.2 -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:80 COMMIT My problem is: when I set INPUT/OUTPUT policies to DROP then I can not get a web page from 192.168.1.1 requesting from eth0. But it works only when those chains are set to ACCEPT. Why is it so?! - IMHO all the forward should not apply to the routing machine - that are INPUT, OUTPUT on real machine. Or I miss something? Please, feel free for any comments. Thank You for Your time. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
