ICI Support wrote: > Now, the problem I have is that my LAN is mixed NAT'd addresses and routable > IPs. I have a host of FORWARD rules to determine which packets get sent > onto which servers (routable IPs). My worry is that if I put in the > "iptables -A FORWARD -j ACCEPT" it'll defeat the whole purpose of those > entries. > > My question is: How do I set up a FORWARD for JUST the NATed packets > without touching the non-NATed packets? Would a -d to my internal network > ($INTERNAL_NET is set to 192.168.10.0/24) do it? > > IE would this work: > > iptables -A POSTROUTING -t nat -s $INTERNAL_NET -j MASQUERADE > > iptables -A FORWARD -d $INTERNAL_NET -j ACCEPT If I tested this properly, it does seem to work. You could follow the command above with whatever rules jumping to ACCEPT you want, ending with a REJECT for whatever you don't want (or set the policy for FORWARD to REJECT). There are some other ways to do it. May I ask why this machine is a bridge? My guess is that you have something like this: [Internet] ----> T1 router ----> Linux bridge ----> LAN ...wherein the T1 router handles the routing to/from your public IPs and your bridge handles the routing (with NAT) from your private IPs. > Also, if I post up my iptables entries/script, can someone help me proof > them for problems? Sure; it couldn't hurt, unless someone nasty sees a flaw and tries to attack one of your systems through it. :) I'm going to be gone for several days, but I'll look at it when I get back. Somebody else might look, too. -Corey _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
