On Wed, 2004-05-05 at 12:09, Paulo Andre wrote: > I just need some clarification please. > > Take for example the following two rules: > > iptables -t nat -A PREROUTING -i $ext_card -s $client_IP -d $my_ext_ip -p tcp > --dport 80 -j DNAT --to $int_web_IP:80 > iptables -A FORWARD -i $ext_card -d $int_web-IP -p tcp --dport 80 -j ACCEPT > > According to my thinking the above rule would be unsafe as the source was not > specified on the FORWARD rule. As the would allow anyone using the firewall > as a gateway to have access to $int_web_IP on port 80. Is that correct? > Assuming their traffic passes the prerouting rules and the $int_web-IP is routable for them, yes. > Paulo -- -- Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
Attachment:
signature.asc
Description: This is a digitally signed message part
