On Sun, Jun 22, 2003 at 05:44:49AM +0300, Elver Loho wrote: > I was on #netfilter (irc.freenode.net) earlier and asked about a > possible flaw in the NAT howto, but got no reply (people sleeping?) so > I'm just going to paste what I said here and go to sleep. (nearing 6am > currently) > > > <elver> I have a question about masquerading. The NAT howto gives an > example like this: "iptables -t nat -A POSTROUTING -o ppp0 -j > MASQUERADE", but since it masks the packets that are outgoing on ppp0 > (by the destination IP, interface IP and netmask) then could that rule > also be exploited by outside hosts tunneling? > [...] Well, using nat doens't mean that you don't want to use packet filtering anymore, does it? I mean, apart from your MASQUERADE rule you would still have a packet filtering ruleset in the 'filter' table, just like on any normal non-NAT firewall. > Elver Loho > kernelpenguin@xxxxxx -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
pgp00488.pgp
Description: PGP signature
