Re: Newbie question about nat

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

    Thank you very much!! It works perfectly!! :-)

    And now one last question: from a security point of view, what do you
think is better; discarding packets with DROP or with REJECT?
    Regards,

    Oriol


----- Original Message ----- 
From: "Antony Stone" <Antony@xxxxxxxxxxxxxxxxxxxx>
To: <netfilter@xxxxxxxxxxxxxxxxxxx>
Sent: Monday, May 03, 2004 5:54 PM
Subject: Re: Newbie question about nat


On Monday 03 May 2004 4:33 pm, Oriol Magrané wrote:

>     Thank you!
>     Now I'd like to set up an ftp server inside with private ip
> 192.168.1.111 and public ip a.b.c.k
>     So the nat rules will be:
>
>         iptables -t nat -A PREROUTING -d a.b.c.k -j DNAT --to
192.168.1.111
>         iptables -t nat -A POSTROUTING -s 192.168.1.111 -j SNAT --to
> a.b.c.k
>
>     However I don't know how to use the ip_conntrack_ftp and ip_nat_ftp
> modules when it comes to write the accept/drop rules.
>     If the server was a web server, I would use these rules:
>
>         iptables -A FORWARD -d 192.168.1.111 -p tcp --destination-port 80
> -m state --state NEW,ESTABLISHED -j ACCEPT
>         iptables -A FORWARD -s 192.168.1.111 -p tcp --source-port 80 -m
> state --state ESTABLISHED -j ACCEPT

I don't normally write an ESTABLISHED rule for each protocol (specifying the
source port) - I would normally have just one rule on a firewall allowing
reply packets for all protocols:

iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

You don't need to bother about securing the machines it's supposed to allow
connections from (-s) or the protocols it's supposed to allow (-p tcp,
--sport) because those have already been taken care of by the rule allowing
the connection to get set up in the first place.   Note the -I (insert) to
make sure this rule appears at the top of the FORWARD chain for efficiency.

>     But how should they be to allow active ftp access to 192.168.1.111
> using the ip_conntrack_ftp and ip_nat_ftp modules?

iptables -A FORWARD -d 192.168.1.111 -p tcp --dport 21 -j ACCEPT

along with the single system-wide rule I gave above.

Regards,

Antony.

-- 
"There has always been an underlying argument that we should open up our
source code more broadly. The fact is that we are learning from open source
and we are opening our code more broadly through Shared Source.

Is there value to providing source code? The answer is unequivocally yes."

 - Jason Matusow, head of Microsoft's Shared Source Program, in response to
recent leaks of Windows source code on the Internet.

                                                     Please reply to the
list;
                                                           please don't CC
me.
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux