[Masq] Re: Remote admin through firewall

Mon, 14 Oct 2002 14:13:10 -0700 

/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */

Eric Persson <[EMAIL PROTECTED]> wrote:
>
> $IPTABLES -A FORWARD -i $EXTIF -p tcp -d 213.212.20.72 -o $INTIF --dport 
>       4899 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -p tcp -d 192.168.0.50 -o $INTIF --dport 
>       4899 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

These rules seem to be trying to catch different versions of the same
thing..  It's hard to know what to put here, because the NAT rules will
change things so that the forward chain doesn't see the original packets.

> $IPTABLES -t nat -A PREROUTING -d 213.212.20.72 -p tcp --dport 4899 -j 
>       DNAT --to 192.168.0.50:4899

Since this is a PREROUTING rule it will run before the FORWARD rules. 
It will modify the packet (if it matches, of course).  I noticed that no
interface is specified, but you specify a destination IP, so I suppose
it will work.  But it's not how I do things...

In my setup I use "-i $EXTIF" to match a packet coming in via the
external interface.  I consider it pointless to specify which IP should
be the destination, because I don't see why my box would be receiving
traffic that's destined for any other IP.


As for forward rules, I don't specify IP's there, either.  The "-i" and
"-o" interface options do a fine job of specifying the direction of
traffic flow.

So basically I'd use rules like these:

    $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 4899
        -j DNAT --to 192.168.0.50

    $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 4899
        -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

I am presuming here that there is a rule somewhere else that specifies
that outgoing traffic in the ESTABLISHED,RELATED states should also be
accepted.

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)     || "Good judgment comes from experience.
sometimes known as David DeSimone  ||  Experience comes from bad judgment."
_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.

Reply via email to