on 1/2/2008 8:34 PM Robert Moskowitz spake the following:
Christopher Chan wrote:
I spent much of the past 24 hours trying to find out how to set up
iptables for firewall routing WITHOUT NATing. Could not find anything.
Eh? You just need to enable ip forwarding to enable routing. After
that, it is put up the firewall rules as is necessary, build the
appropriate routing tables on the firewall box and the boxes on the
intranet(s).
iptables does not handle routing.
No, but iptables controls what is allowed to route, or it seems when you
read the tutorials on iptables. I know about routing, Comer taught me,
and I reviewed Stevens book. I know about firewalls; Belovin and I go
back quite a ways. But configuring software to do what **I** want, well
that is were the car hits the brick wall. As Belovin would say, "Here be
Dragons."
Those little words, "put up the firewall rules as necessary" are
equivalent to "and magic happens here."
I tried it. I had everything open. Then I blocked everything. Then I set
up a rule to allow SSH in to eth0 and out eth1 (and the other way). At
least I thought that was what the rules said, but no SSH connectivity
through the firewall. That was when I realized that I had not found the
necessary incantation, and I had already shot most of tuesday.
Up and running. I can understand what shorewall rules are saying. And I
can see the results.
Just don't let the magic smoke out of the box, and you will be fine!
Learning to "speak" netfilter is not as difficult as say perl or php, but it
is another thing to add to the plate, and it seems to always be "next" on the
list. Unless you are going to do this regularly, your solution works just as well.
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
