Anthony, Ok, I understand what you explain and I will test as soon as possible. I always setup netfilter by adding rules to INPUT, OUTPUT, DNAT, .. chain. But in this way, netfilter is very difficult to maintain. In fact, my firewall has 2 networks interfaces and it's doing SNAT and DNAT. SNAT and DNAT is properly working but difficult to administrate. As it is already in production environnement, I have to plan when modificat In your opinion, which solution is better: Create DNAT rules like Iptables -A PREROUTING -d 192.19.93.100 -j DNAT --to-destination 92.92.1.100 Iptables -A FORWARD -i eth0 -o eth1 -p tcp -s 172.19.92.100 -d 92.92.1.100 --dport 23 -j ACCEPT Or Iptables -A PREROUTING -s 172.19.92.100 -d 192.19.93.100 --dport 23 - j DNAT --to-destination 92.92.1.100:23 Thanks Anthony for you help. Farid IZEM Ingénieur Système Unix Société ABX Logistics France 48-50, route principale du port 92232 Gennevilliers Tél. : 01-41-47-61-78 Email : farid.izem@xxxxxxxxxxxxxxx -----Message d'origine----- De : netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] De la part de Antony Stone Envoyé : mercredi 30 juin 2004 16:19 À : netfilter@xxxxxxxxxxxxxxxxxxx Objet : Re: (no subject) On Wednesday 30 June 2004 2:33 pm, IZEM Farid wrote: > Hi all, > > I'm trying to customize my iptables rules. > Let us imagine we have three hosts which users have to access: > HOST1 > HOST2 > HOST3 > > Is this configuration correct? > Iptables -N HOST1_RULESETS > Iptables -N HOST2_RULESETS > Iptables -N HOST3_RULESETS > > In each new chain, I will add rules to accept connections to some services > like telnet, ssh, IBM Client Access. And after, I will do this thing: > Iptables -A FORWARD -i eth0 -o eth1 -j HOST1_RULESETS > Iptables -A FORWARD -i eth0 -o eth1 -j HOST2_RULESETS > Iptables -A FORWARD -i eth0 -o eth1 -j HOST3_RULESETS > > In fact, what I'm looking for is that I can organized my rules by hosts > instead of adding all rules to all hosts in FORWARD chain ? > > With the configuration, I describe, will all rules in the HOSTX_RULESETS > being check ? > > I think, it's correct but I'm not totally sure. Yes, that looks fine to me - the only thing you need to remember is that the first rule which matches, with an ACCEPT, DROP or REJECT target, will determine the fate of the packet. Organising rules into user-defined chains like this is fine with netfilter, if it makes it easier for you to work with. The only thing I would suggest changing about what you've written above is that if the chain HOST1_RULESETS is supposed to be for packets going only to HOST1, then your FORWARD rule jumping to that chain should only do so for packets going to HOST1 (similarly for HOST2, HOST3 etc). iptables -A FORWARD -i eth0 -o eth1 -d $HOST1 -j HOST1_RULESETS That ensures that packets for HOST2, which cannot possibly match any of the rules in HOST1_RULESETS, don't have to traverse all the way through the rules before then getting a chance at HOST2_RULESETS. PS: Don't forget a general rule allowing for the reply packets :) Regards, Antony. -- I want to build a machine that will be proud of me. - Danny Hillis, creator of The Connection Machine Please reply to the list; please don't CC me.
