FORWARD rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
I had kept the default policy of FORWARD as drop.
Now, I wanted to see an internal machine from internet. So, I used
DNAT as,

iptables -A PREROUTING -t nat -d <ext ip> -j DNAT --to <int ip>
It didn't work. When I set the default FORWARD policy to ACCEPT it
worked.

What is a better approach? I want to have a default DROP in FORWARD
chain. My FORWARD chain looked like this,


$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p udp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

What more do I add to allow natting as well as a secure FORWARD policy?
Is the position of ESTABLISHED rule ok?

Thanks a lot for the help in advance and waiting eagerly for the mails.
With warm regards,
-Payal





-- 
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux