Pascal Hambourg wrote: > Hello, > > Philip Prindeville a écrit : > >> iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 8080 -j DNAT --to-destination :80 >> >> but later in the INPUT chain, I'd like to be able to distinguish between >> a packet that came in directly to port 80 (which I'd reject) versus a >> packet that came in to a different port (like 8080 above) and was >> remapped... which I'd like to accept. >> > > May I ask why ? > Of course. The box which we'd be doing this on is a firewall. There is an administrative web server that is used for configuration via GUI. The interface is accessible via port 80 internally... but we want to obscure it externally (we don't really use port 8080 above as that would be too obvious). We similarly obscure the Ssh port (and do other hardening, such as not accepting passwords, but certificates only...). >> Is there a test to available in INPUT (and FORWARD) see if the packet >> had been rewritten in the PREROUTING chain? >> > > You might try the '-m conntrack' match and its '--ctstate DNAT' option. > Not sure it works when only remapping the port, though. Otherwise you > can MARK packets in mangle/PREROUTING before they are remapped and > accept or drop them after. > Thanks. I'll give it a try later and report back. I thought about marking them in mangle/PREROUTING, but that would double the number of rules... -Philip -- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
