A little iptables help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Sep 29, 2005 at 09:21:40AM -0500, Aleksandar Milivojevic wrote:
> >>>I did this successfully providing external SSH access to a collection
> >>>of hosts on a private network. However for this to work, the hosts on
> >>>the private net also need to be doing SNAT back out through the
> >>>firewall.
> >>
> >>Unless you are doing something funky, SNAT is not needed.  All he needs
> >>is DNAT.
> >>Netfilter should take care of returning packets automagically (unless, as 
> >>I
> >>said, you are doing something funky and confusing Netfilter with it).
> >
> >If you have a RELATED,ESTABLISHED matching rule only.
> 
> Somebody will probably correct me if I'm wrong, but I think restriction is 
> as
> long as you have connection tracking module loaded.  And you will have it as
> soon as you call any of NAT targets (iptable_nat module depends on 
> ip_conntrack
> module).  So you don't have to have any state related rules at all.

If your default rule for the related chain is DROP, then you do need
the state rules.

[]s

- -- 
Rodrigo Barbosa <rodrigob@xxxxxxxxxxxxxxx>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDPAsnpdyWzQ5b5ckRAh1bAKCNeRJonIkfcsrn+BXSKRFeVdSciwCfSwUc
GzClzLnsyLteboKVQdSbJi0=
=r2FG
-----END PGP SIGNATURE-----

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux