Re: [Haifux] DMZ Variant

[Slava Shklyar]

The nat/PREROUTING chain comes before filter/INPUT. So, the easiest way i see is to specify ports to redirect  (or accept localy): Redirect ports 23,25,80,143: #iptables -t nat -A PREROUTING -p tcp -d <YOR_INET_IP> -m multiport --destination-port 23,25,80,143 -j DNAT --to-destination <YOU_LAN_IP> Redirect ports excluding 23,25,80,143: #iptables -t nat -A PREROUTING -p tcp -d <YOR_INET_IP> -m multiport --destination-port 23,25,80,143 -j ACCEPT #iptables -t nat -A PREROUTING -p tcp -d <YOR_INET_IP> -j DNAT --to-destination <YOU_LAN_IP> Maybe it's possible to find more elegant solution... [EMAIL PROTECTED] wrote: I've already tried it. It forwards ALL traffic that comes to my machine to <YOUR_LAN_IP>. I want to forward only connection to those ports that are not listening (or the ports having an ACCEPT rule in filter/INPUT, choose what is easier for you). -----Original Message----- From: Slava Shklyar [mailto:[EMAIL PROTECTED]] Sent: Monday, September 22, 2003 16:24 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Haifux] DMZ Variant #iptables -t nat -A PREROUTING -p tcp -d <YOUR_INET_IP> -j DNAT --to-destination <YOU_LAN_IP> I think the rule above have to work. I assume you have compiled the kernel with needed support [EMAIL PROTECTED] wrote: Hi all! I have a linux box with 2 network interfaces: external (connected to the Internet) and internal (connected to my LAN). The box acts as a firewall, I'm also doing NAT. I have several ports open on the box itself and have set up port forwarding to a few machines on the LAN. I want any connection from the Internet to the box that isn't caught by any rule (I use iptables) to be redirected to a pre-defined machine in the LAN. For example: I don't run telnet server on the box and I don't forward port 23 to the LAN. If someone connects to the box on port 23, I want the connection to be forwarded to a specific machine in the LAN. P.S. I don't want to specify each port I want to be forwarded, but rather forward all traffic at once. Any ideas are appreciated, Alex -------------------------------------------------------------------------- Haifa Linux Club Mailing List (http://www.haifux.org) To unsub send an empty message to [EMAIL PROTECTED]