On Tue, 2003-04-15 at 11:52, Chris Partsenidis wrote: > Greetings everyone, > > While building a complex set a rules for my firewall I have stumbbled > accross a few problems and would like to know if there is anyone to > help me clear a few things in my mind. > > If I was to set the Forward chain default policy to DROP, what rules > would I be required to enter in order to allow e.g my internal network > hosts to telnet anywhere on the internet ? > > For example take this setup: > > LAN -----------------FIREWALL------------------------ Internet > 192.168.1.0/24 public ip: 200.0.0.1 > > In this simple setup, my guess is that Im required to create 3 rules > for the telnet to work. > One for the packets travelling from the Lan to the firewall, one for > the oppisite (internet to the firewall) and then one more > > for the postrouting chain to masquerade the packets. Here is what I've > done: > > 1) iptables -P FORWARD DROP > 2) iptables -A FORWARD -s 192.168.1.0/24 -p tcp -d 0/0 --dport 23 -j > ACCEPT > 3) iptables -A FORWARD -p tcp -s 0/0 --sport 23 -d 200.0.0.1 -j > ACCEPT This one should be: iptables -A FORWARD -p tcp -s 0/0 --sport 23 -d 192.168.1.0/24 -j ACCEPT because the traffic is going back to the client not the firewall. > 4) iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -p tcp -d 0/0 > --dport 23 -j MASQUERADE > > Would this be correct, and if not, can you please explain why. I'm not > to sure if loading ip_conntrack would eliminate the need for rule no. > 3. No, conntrack is connection tracking for NAT. Without conntrack you would have many more rules to tell iptables how to track the NATed traffic. > > Regards, > > Chris Partsenidis
Attachment:
signature.asc
Description: This is a digitally signed message part
