Joel,
I tried forwarding ALL connections and then filtering by the
forward chain but no luck. Once it reaches the PREROUTING chain and makes
its descision does it pass anymore chains? Or is that it. I have always read
you don't want to filter in the NAT table and PREROUTING doesn't have a
filter table just a NAT & MANGLE. Any ideas?
-Mike
----- Original Message -----
From: "Joel Newkirk" <netfilter@xxxxxxxxxx>
To: "Mike" <mikeeo@xxxxxxx>; <netfilter@xxxxxxxxxxxxxxxxxxx>
Sent: Wednesday, April 02, 2003 3:56 PM
Subject: Re: sub interface filtering
On Wednesday 02 April 2003 01:45 pm, Mike wrote:
> Hi guys I have the following setup and rules. And I cant seem to get
> the filtering to work.
> iptables -t nat -A PREROUTING -p tcp <routeable internetIP/28> --dport
> 80 -j DNAT --to 192.168.1.197
>
> iptables -t nat -A PREROUTING -p tcp <routeable internetIP/28> --dport
> 443 -j DNAT --to 192.168.1.197
> iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.197 -j SNAT --to
> <routeable internetIP/28
> but when I scan eth2:1 or eth2:2 from an outside machine I can see ALL
> the local services (ssh, ptptp,dns etc..) Is connection not passing
> the forwading chain?
You are DNATting dport 80 and dport 443, but the remainder of the ports
are not being DNATted, so they still target the firewall box. You'd
need to DNAT all connections to the specified IP, then DROP all except
ports 80 and 443 in FORWARD to avoid this.
Of course, this also shows that you are letting lots of (all?!?) ports
through the INPUT chain to the box itself from outside, which you should
lock down as well... A DROP policy on INPUT is called for, then ACCEPT
required ports from eth2 for externally-accessed services (if any) and
ACCEPT required (or all if desired) ports from the LAN machines.
j
