I plan on doing this soon as well, and I was wondering a couple things. As I've seen stated on here a few times, it looks as though using the h.323 protocol support in 1.2.6 with 2.4.18 isn't going to allow me to successfully nat things such as netmeeting, msn messenger videoconferencing (is that the same thing as netmeeting), and remote desktop stuff. Now I've just been using vnc for the latter. I happen to own another /29 of public addresses and was thinking that the best way to do this is that when I want to access the net with these applications, quickly log into the firewall and run a script that does this dnatting/snatting to the private ip machine for one of the /29 addresses (basically translating it on the nat box).
But what caught my attention was this. Once I do this, for the moment I am allowing this traffic: 1. If things coming in to the external interface are hitting the preroute chain, how do I filter on them? As I understand it, the preroute chain is before the INPUT chain? Can someone explain if I have a rule such as Iptables -t nat -A PREROUTING -I eth1 -d 209.205.xxx.xxx -j DNAT 192.168.0.1 Where do I place the lines of code to filter these things. Am I filtering in the INPUT chain on the 209. addresses or what? 2. Can anyone give me some tips on some vulnerable ports that I would need to block on a windows xp machine but still allow for netmeeting, icq, irc, etc. to work? (specifically, like file sharing and all that needs to be blocked). Thanks. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Antony Stone > Sent: Monday, March 18, 2002 12:08 PM > To: [EMAIL PROTECTED] > Subject: Re: Yikes. . . shouldn't this be easy--NAT in and > out to private IP > > > On Monday 18 March 2002 5:22 pm, Brian Capouch wrote: > > > I want to NAT a private IP addr, 192.168.1.2 (as if that > mattered) out > > to the world and then back in again, so that I can remotely > bring up > > an X window for a demo I have to do "outside" later in the week. > > iptables -A PREROUTING -t nat -d 111.222.333.444 -j DNAT --to > 192.168.1.2 iptables -A POSTROUTING -t nat -s 192.168.1.2 -j > SNAT --to 111.222.333.444 > > The first rule changes packets coming in from the Internet which were > addressed to 111.222.333.444 and sends them to 192.168.1.2 > > The second rule changes packets which come from 192.168.1.2 > and makes them > look like they came from 111.222.333.444 > > Don't forget the appropriate FORWARD rules to let the packets > through as well: > > iptables -A FORWARD -s 192.168.1.2 -j ACCEPT > iptables -A FORWARD -d 192.168.1.2 -j ACCEPT > > Remember that your NATing box needs to have 111.222.333.444 > added to its > external interface if this address is in the same network > range as the NAT > machine's real external address. > > If it's in a different network range, then you just need to > have packets for > 111.222.333.444 routed from the previous router, to use the > NAT box as the > next hop. > > These rules will allow all packets, any protocol (TCP, UDP, > ICMP, ESP...) to > get through the Firewall, to & from ANY external address - so > be careful > about security on the "target" machine, otherwise you might > find it's a > target for more than you expected :-) > > Hope this helps, > > > Antony. >
