Re: Redirection to local lan, isn't DNAT method unsafe.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 01 April 2004 9:55 am, Bo Jacobsen wrote:

> > It is normally recommended *not* to do filtering in the nat or mangle
> > tables, however in this case if you really want to do what you say then
> > that is the solution.
> >
> > iptables -I PREROUTING -t nat -s 192.168.1.0/24 -d 192.168.10.10 -p tcp
> > --dport 80 -j DROP
> >
> > Note the -I which inserts the rule before the prerouting rule you listed
> > above.
>
> Thanks.
>
> > however in this case if you really want to do what you say then that is
> > the solution.
>
> Is there another and better way to redirect traffic to the inside ?

Well, DNAT is normally used to map externally-accessible public IPs to real 
internal systems on non-routable 10.x.y.z, 172.16.a.b or 192.168.c.d 
addresses, therefore the problem never arises (since people across the 
Internet can't send packets to the real private addresses even if they knew 
what they were).

There's isn't a "better" way to redirect traffic to other IP addresses, 
however why do you think it's a problem for people to use the "real" address 
instead of the one you're telling them to use.   They have access to the 
machine, so why does it really matter which address they use to connect to 
it?

Regards,

Antony.

-- 
RTFM may be the appropriate reply, but please specify exactly which FM to R.

                                                     Please reply to the list;
                                                           please don't CC me.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux