/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Trent Cook <[EMAIL PROTECTED]> wrote:
>
> Just simply trying to forward port 80 to an internal web server with the
> following rule:
>
> #####################
> $iptables -t nat -A PREROUTING -p tcp -d $inet_ip --dport 80 -j DNAT
> --to-destination $lan_svr:80
> #####################
That looks about right. Technically the ":80" part is redundant since
you are forwarding without changing the port. The "-d $inet_ip" part
could be considered redundant, as well, since it's unlikely you'll
receive traffic destined for some other IP.
> however its being dropped by the forwarding chain.
Right you are.
> # Forward the packets that come from the lan.
> $iptables -A FORWARD -i $lan_if -j ACCEPT
>
> # Anything already established is good.<-- possibly here? add a SYN ?
> $iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Yes, the last rule here allows established packets, but the connection
is not yet established if you don't let the "NEW" state to come through,
as well.
A rule like this should help:
$iptables -A FORWARD -j ACCEPT -p tcp --dport 80 \
-m state --state NEW,ESTABLISHED,RELATED
This will allow the connection to forward in both directions.
> Is there a module im missing that SNAT would work ok, however DNAT
> needs to have installed?
Nope. It's just the forward rule blocking things.
> Is there any way to actually block destination addresses via URL and
> not ip with iptables?
No. This is an IP-based firewall, so you can only block by IP.
However, you can give a hostname to iptables, and it will do its best to
look up all the various IP's that match that name, and add rules for
them. But if the IP's are dynamic it will be only partially effective.
If you really want to block outgoing URL's, install a web proxy, such as
SQUID, and use the iptables REDIRECT feature to capture outgoing HTTP
requests and redirect them to the Squid proxy, then configure squid to
deny the traffic you don't want.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Good judgment comes from experience.
sometimes known as David DeSimone || Experience comes from bad judgment."
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
