On Wednesday 02 April 2003 01:45 pm, Mike wrote: > Hi guys I have the following setup and rules. And I cant seem to get > the filtering to work. > iptables -t nat -A PREROUTING -p tcp <routeable internetIP/28> --dport > 80 -j DNAT --to 192.168.1.197 > > iptables -t nat -A PREROUTING -p tcp <routeable internetIP/28> --dport > 443 -j DNAT --to 192.168.1.197 > iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.197 -j SNAT --to > <routeable internetIP/28 > but when I scan eth2:1 or eth2:2 from an outside machine I can see ALL > the local services (ssh, ptptp,dns etc..) Is connection not passing > the forwading chain? You are DNATting dport 80 and dport 443, but the remainder of the ports are not being DNATted, so they still target the firewall box. You'd need to DNAT all connections to the specified IP, then DROP all except ports 80 and 443 in FORWARD to avoid this. Of course, this also shows that you are letting lots of (all?!?) ports through the INPUT chain to the box itself from outside, which you should lock down as well... A DROP policy on INPUT is called for, then ACCEPT required ports from eth2 for externally-accessed services (if any) and ACCEPT required (or all if desired) ports from the LAN machines. j
