LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-05-2004, 11:04 AM   #1
MadTurki
Member
 
Registered: Nov 2003
Location: Toronto
Distribution: RedHat 9, Mandrake 10, OS X
Posts: 114

Rep: Reputation: 15
Arrow iptables port forwarding


I'm fairly new to iptables, they dont seem too complicated but I am new. I followed a sample setup in the RedHat Bible and then added the seventh line from a posted suggestion. I need to forward in-coming requests on eth0 (X.X.X.X) to a web server. I also need to use this as a proxy but nether seem to work! I can ping the machine, I can ping out of it, and I can browse the web out of it. The file is printed below. Thanks for your help - again!

Quote:
# Generated by iptables-save v1.2.8 on Mon Jan 5 15:52:38 2004
*nat
:PREROUTING ACCEPT [36:3374]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:70]
-A POSTROUTING -o eth0 -j SNAT --to-source X.X.X.X
-A PREROUTING --dst X.X.X.X -p tcp -j DNAT --to-destination 192.168.1.12
COMMIT
# Completed on Mon Jan 5 15:52:38 2004
# Generated by iptables-save v1.2.8 on Mon Jan 5 15:52:38 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
kay - [0:0]
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 192.168.1.4 -i lo -j ACCEPT
-A INPUT -s X.X.X.X -i lo -j ACCEPT
-A INPUT -d 192.168.1.255 -i eth1 -j ACCEPT
-A INPUT -d X.X.X.X -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j okay
-A INPUT -i eth0 -p tcp -m tcp --dport 2401 -j okay
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.1.4 -j ACCEPT
-A OUTPUT -s X.X.X.X -j ACCEPT
COMMIT
# Completed on Mon Jan 5 15:52:38 2004

Last edited by MadTurki; 01-05-2004 at 01:01 PM.
 
Old 01-05-2004, 11:32 AM   #2
dubman
Member
 
Registered: Jan 2003
Distribution: Redhat 9, Fedora Core 1, Suse 8
Posts: 188

Rep: Reputation: 30
The issue is you don't have any nat or pre-routing statements. Here is a good site on linux FW design.

http://eressea.pikus.net/~pikus/plug...all/page0.html
 
Old 01-05-2004, 11:42 AM   #3
MadTurki
Member
 
Registered: Nov 2003
Location: Toronto
Distribution: RedHat 9, Mandrake 10, OS X
Posts: 114

Original Poster
Rep: Reputation: 15
Thanks for the link. I'm looking over it - I dont want to sound lazy in any way cause I know I need to read this, but, I'm horrible at reading manuals. Can you point me to a more specific page? Or show me what to do? I'll keep reading....
 
Old 01-05-2004, 12:12 PM   #4
dubman
Member
 
Registered: Jan 2003
Distribution: Redhat 9, Fedora Core 1, Suse 8
Posts: 188

Rep: Reputation: 30
here is an example of a port-forwarding rule set:


$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 80 -j DNAT --to $DMZIP:80
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 80 -j ACCEPT

the first line will take care of your pre-routing nat. The second line is what actually forwards the port.

Here is a sample iptables script...this may be rather helpful. I'm sorry I can't be more specific, but FW design is different for everyone's needs. Iptables is much too broad of a subject for us to walk you through. This example below should get you off to a good start though.

#!/bin/bash

####################################
####################################
# #
# #
# --** Dub's Firewall Script **-- #
# #
# #
####################################
####################################

#Set Variables
IPT=/sbin/iptables
PUBIF="eth0"
PRIVIF="eth1"
DMZIF="eth2"
PUBIP=""
PRIVIP="192.168.100.100/24"
DMZIP="192.168.200.100/24"
PRIVNET="192.168.100.0/24"
DMZNET="192.168.200.0/24"
PUBNET=""
LOG_OPTIONS="-m limit --limit 5/minute --log-level 3 --log-prefix "
LOG_OPTIONS_MORE="-m limit --limit 20/minute --log-level 3 --log-prefix"
LOG_OPTIONS_LESS="-m limit --limit 1/minute --log-level 3 --log-prefix"
PLACE_WE_HATE="www.aol.com"

#Load Modules
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

#Clean Start
$IPT -F INPUT
$IPT -F FORWARD
$IPT -F OUTPUT
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F

#Define Policy
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

#Allow Loopback
$IPT -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPT -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT

#Allow Conenctions Between Firewall and Internal Network
$IPT -A OUTPUT -o $PRIVIF -j ACCEPT
$IPT -A INPUT -i $PRIVIF -j ACCEPT

#No Cross-Forwarding
$IPT -A FORWARD -i $PUBIF -o $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-X-FORWARD: "
$IPT -A FORWARD -i $PUBIF -o $PUBIF -j DROP

#No Spoofed Source Addresses
$IPT -A INPUT -s "0.0.0.0" -i $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-SPOOF: "
$IPT -A INPUT -s "0.0.0.0" -i $PUBIF -j DROP
$IPT -A INPUT -s "10.0.0.0/8" -i $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-SPOOF: "
$IPT -A INPUT -s "10.0.0.0/8" -i $PUBIF -j DROP
$IPT -A INPUT -s "192.168.0.0/16" -i $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-SPOOF: "
$IPT -A INPUT -s "192.168.0.0/16" -i $PUBIF -j DROP
$IPT -A INPUT -s "172.16.0.0/12" -i $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-SPOOF: "
$IPT -A INPUT -s "172.16.0.0/12" -i $PUBIF -j DROP

#Port Scans
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG $LOG_OPTIONS "IPTABLES-PORT-SCAN: "
$IPT -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP

#NAMP FIN/URG/PSH
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG $LOG_OPTIONS "IPTABLES-SYN-FIN: "
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

#SYN/FIN
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN, FIN -j LOG $LOG_OPTIONS_MORE "IPTABLES-FIN: "
$IPT -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN, FIN -j DROP

echo INPUT

#################################################################
# #
# INPUT #
# #
#################################################################

#Accept DHCP Lease
$IPT -A INPUT -i $PUBIF -p udp --source-port 67 --dport 68 -j ACCEPT
$IPT -A OUTPUT -i $PUBIF -p udp --source-port 68 --dport 67 -j ACCEPT

#Silently Drop Broadcast and Mulitcast Traffic
$IPT -A INPUT -i $PUBIF -d 255.255.255.255 -j DROP
$IPT -A INPUT -i $PUBIF -d 224.0.0.0/4 -j DROP

#Drop All Invalid Incoming Packets
$IPT -A INPUT -m unclean -j LOG $LOG_OPTIONS "IPTABLES-UNCLEAN: "
$IPT -A INPUT -m unclean -j DROP
$IPT -A INPUT -m state --state INVALID -j DROP

#Allow Outgoing Echo Request/Reply
$IPT -A OUTPUT -o $PUBIF -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A INPUT -i $PUBIF -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A INPUT -i $PUBIF -p icmp --icmp-type destination-unreachable -j ACCEPT

#Allow Outgoing Traceroute
$IPT -A OUTPUT -o $PUBIF -p udp -j ACCEPT
$IPT -A INPUT -i $PUBIF -p icmp --icmp-type time-exceeded -j ACCEPT

#Specific Nasty Ports
#MS- Networking
$IPT -A INPUT -p tcp -i $PUBIF --dport 135:139 -j LOG $LOG_OPTIONS "IPTABLES-MS-NETWORKING: "
$IPT -A INPUT -p udp -i $PUBIF --dport 135:139 -j LOG $LOG_OPTIONS "IPTABLES-MS-NETWORKING: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 135:139 -j DROP
$IPT -A INPUT -p udp -i $PUBIF --dport 135:139 -j DROP

#NFS
$IPT -A INPUT -p tcp -i $PUBIF --dport 2049 -j LOG $LOG_OPTIONS "IPTABLES-NFS: "
$IPT -A INPUT -p udp -i $PUBIF --dport 2049 -j LOG $LOG_OPTIONS "IPTABLES-NFS: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 2049 -j DROP
$IPT -A INPUT -p udp -i $PUBIF --dport 2049 -j DROP

#X-Windows
$IPT -A INPUT -p tcp -i $PUBIF --dport 5999:6003 -j LOG $LOG_OPTIONS "IPTABLES-X-WINDOWS: "
$IPT -A INPUT -p udp -i $PUBIF --dport 5999:6003 -j LOG $LOG_OPTIONS "IPTABLES-X-WINDOWS: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 5999:6003 -j DROP
$IPT -A INPUT -p udp -i $PUBIF --dport 5999:6003 -j DROP

#X Font Server
$IPT -A INPUT -p tcp -i $PUBIF --dport 7100 -j LOG $LOG_OPTIONS "IPTABLES-XFS: "
$IPT -A INPUT -p udp -i $PUBIF --dport 7100 -j LOG $LOG_OPTIONS "IPTABLES-XFS: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 7100 -j DROP
$IPT -A INPUT -p udp -i $PUBIF --dport 7100 -j DROP

#Back Oriface
$IPT -A INPUT -p tcp -i $PUBIF --dport 31337 -j LOG $LOG_OPTIONS "IPTABLES-BACK-ORIFACE: "
$IPT -A INPUT -p udp -i $PUBIF --dport 31337 -j LOG $LOG_OPTIONS "IPTABLES-BACK-ORIFACE: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 31337 -j DROP
$IPT -A INPUT -p udp -i $PUBIF --dport 31337 -j DROP

#Netbus
$IPT -A INPUT -p tcp -i $PUBIF --dport 12345:12346 -j LOG $LOG_OPTIONS "IPTABLES-NETBUS: "
$IPT -A INPUT -p udp -i $PUBIF --dport 12345:12346 -j LOG $LOG_OPTIONS "IPTABLES-NETBUS: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 12345:12346 -j DROP
$IPT -A INPUT -p udp -i $PUBIF --dport 12345:12346 -j DROP

#Subseven
$IPT -A INPUT -p tcp -i $PUBIF --dport 27374 -j LOG $LOG_OPTIONS "IPTABLES-SUBSEVEN: "
$IPT -A INPUT -p udp -i $PUBIF --dport 27374 -j LOG $LOG_OPTIONS "IPTABLES-SUBSEVEN: "
$IPT -A INPUT -p tcp -i $PUBIF --dport 27374 -j DROP
$IPT -A INPUT -p udp -i $PUBIF --dport 27374 -j DROP

echo FORWARDING

#################################################################
# #
# FORWARDING #
# #
#################################################################

#Drop All Invalid Incoming Packets
$IPT -A FORWARD -m unclean -j LOG $LOG_OPTIONS "IPTABLES-UNCLEAN-FORWARD: "
$IPT -A FORWARD -m unclean -j DROP
$IPT -A FORWARD -m state --state INVALID -j LOG $LOG_OPTIONS "IPTABLES-INVALID-FORWARD: "
$IPT -A FORWARD -m state --state INVALID -j DROP

#Block Outgoing Connections to Places We HATE
$IPT -A FORWARD -i $PRIVIF -d $PLACE_WE_HATE -j DROP

#Block Outgoing Connections by PORT (Last Resort Against DoS)
$IPT -A FORWARD -i $PRIVIF -p tcp --dport 135:139 -j DROP
$IPT -A FORWARD -i $PRIVIF -p udp --dport 135:139 -j DROP

#Allow Otherwise Unrestriced Outgoing Connections
$IPT -A FORWARD -i $PRIVIF -o $PUBIF -j ACCEPT
$IPT -A FORWARD -i $PRIVIF -o $DMZIF -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $DMZIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $DMZIF -o $PRIVIF -m state --state RELATED,ESTABLISHED -j ACCEPT

#Allow DMZ Outgoing DNS lookups
$IPT -A FORWARD -i $DMZIF -o $PUBIF -p udp --dport 53 -j ACCEPT

#NAT Postrouting SNAT
$IPT -t nat -A POSTROUTING -o $PUBIF -s $PRIVNET -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $PUBIF -s $DMZNET -j MASQUERADE

echo PORT FORWARDING
#################################################################
# #
# PORT FORWARDING #
# #
#################################################################

#Web
$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 80 -j DNAT --to $DMZIP:80
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 80 -j ACCEPT

#FTP
$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 21 -j DNAT --to $DMZIP:21
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 21 -j ACCEPT

#Mail
$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 110 -j DNAT --to $DMZIP:110
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 110 -j ACCEPT
$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 25 -j DNAT --to $DMZIP:25
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 25 -j ACCEPT

#SSH
$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 22 -j DNAT --to $DMZIP:22
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 22 -j ACCEPT

#Waste
$IPT -t nat -A PREROUTING -i $PUBIF -p tcp --dport 55555 -j DNAT --to $DMZIP:55555
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p tcp -d $DMZIP --dport 55555 -j ACCEPT

#See No Evil, Foward No Evil
#MS Networking
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 135:139 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-MSNETWORKING: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 135:139 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-MSNETWORKING: "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 135:139 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 135:139 -j DROP
#NFS
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 2049 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-NFS: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 2049 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-NFS: "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
#X- Windows
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 5999:6003 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-XWINDOWS: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 5999:6003 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-XWINDOWS: "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 5999:6003 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 5999:6003 -j DROP
#X Font Server
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 7100 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-XFONTSERVER: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 7100 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-XFONTSERVER "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 7100 -j DROP
#Back Oriface
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 31337 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-BACKORIFACE: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 31337 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-BACKORIFACE: "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 31337 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 31337 -j DROP
#Netbus
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 12345:12346 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-NETBUS: "
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 12345:12346 -j LOG $LOG_OPTIONS "IPTABLES-FORWARD-NETBUS: "
$IPT -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 12345:12346 -j DROP
$IPT -A FORWARD -p udp -s 0/0 -d 0/0 --dport 12345:123456 -j DROP

#Set SSH, DNS, and FTP for minimum delay
$IPT -t mangle -A PREROUTING -i PRIVIF -p tcp --dport 53 -j TOS --set-tos Minimize-Delay
$IPT -t mangle -A PREROUTING -i PRIVIF -p tcp --dport 22 -j TOS --set-tos Minimize-Delay

#Set FTP Data abd Web Traffic for Maximum Throughput
#$IPT -t mangle -A PREROUTING -i $PRIVIF -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput
#$IPT -t mangle -A PREROUTING -i $PRIVIF -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput

#Deny ICMP Redirects
$IPT -A FORWARD -p icmp --icmp-type redirect -i $PUBIF -j LOG $LOG_OPTIONS "IPTABLES-ICMP-REDIRECT: "
$IPT -A FORWARD -p icmp --icmp-type redirect -i $PUBIF -j DROP

#Allow All Pingy and all Outgoing Traceroutes
$IPT -A FORWARD -i $PRIVIF -o $PUBIF -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A FORWARD -i $DMZIF -o $PUBIF -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A FORWARD -i $PUBIF -o $DMZIF -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A FORWARD -i $PRIVIF -o $DMZIF -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A FORWARD -i $DMZIF -o $PUBIF -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A FORWARD -i $DMZIF -o $PUBIF -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A FORWARD -i $DMZIF -o $PUBIF -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A FORWARD -i $DMZIF -o $PRIVIF -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A FORWARD -i $PRIVIF -o $DMZIF -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A FORWARD -i $PRIVIF -o $DMZIF -p icmp --icmp-type destination-unreachable -j ACCEPT

#Do Not Allow Any Other Connections on the Extrenal Interface, Including Traceroute
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -j LOG $LOG_OPTIONS "IPTABLES-CONN-PRIVIF-FORWARD: "
$IPT -A FORWARD -i $PUBIF -o $PRIVIF -j DROP
$IPT -A FORWARD -i $PUBIF -o $DMZIF -j LOG $LOG_OPTIONS "IPTABLES-CONN-DMZIF-FORWARD: "
$IPT -A FORWARD -i $PUBIF -o $DMZIF -j DROP

echo Firewall Script Complete
#################################################################
# #
# All Infidels Have Been Denied! #
# Script Complete #
# #
#################################################################
 
Old 01-05-2004, 12:32 PM   #5
MadTurki
Member
 
Registered: Nov 2003
Location: Toronto
Distribution: RedHat 9, Mandrake 10, OS X
Posts: 114

Original Poster
Rep: Reputation: 15
Is the dmz what I specify as to where my web server is?
 
Old 01-05-2004, 01:02 PM   #6
MadTurki
Member
 
Registered: Nov 2003
Location: Toronto
Distribution: RedHat 9, Mandrake 10, OS X
Posts: 114

Original Poster
Rep: Reputation: 15
"The issue is you don't have any nat or pre-routing statements."

Isn't that what
"-A PREROUTING --dst X.X.X.X -p tcp -j DNAT --to-destination 192.168.1.12" is?
 
Old 01-05-2004, 01:03 PM   #7
dubman
Member
 
Registered: Jan 2003
Distribution: Redhat 9, Fedora Core 1, Suse 8
Posts: 188

Rep: Reputation: 30
Right. In the above example, the DMZ is running web services and the PRIVNET is a secured network, unaccesable from the outside. Both are on differnet networks using the linux box as a FW/router. Each network is on a different interface/nic.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables port forwarding geoff3425 Slackware 13 12-20-2011 10:50 AM
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 07:35 PM
IPTables port forwarding.. NeoTech Linux - Networking 2 01-03-2005 11:27 AM
port forwarding with iptables David_99 Linux - Security 5 12-09-2003 08:37 PM
IPTABLES port forwarding sal_paradise42 Linux - Networking 5 10-25-2003 04:11 PM


All times are GMT -5. The time now is 05:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration