On Wednesday 30 June 2004 9:15 pm, IZEM Farid wrote:
> Anthony,
>
> Ok, I understand what you explain and I will test as soon as possible.
> I always setup netfilter by adding rules to INPUT, OUTPUT, DNAT, .. chain.
> But in this way, netfilter is very difficult to maintain.
> In fact, my firewall has 2 networks interfaces and it's doing SNAT and
> DNAT. SNAT and DNAT is properly working but difficult to administrate.
> As it is already in production environnement, I have to plan when modificat
>
> In your opinion, which solution is better:
>
> Create DNAT rules like
> Iptables -A PREROUTING -d 192.19.93.100 -j DNAT
> --to-destination 92.92.1.100
> Iptables -A FORWARD -i eth0 -o eth1 -p tcp -s 172.19.92.100
> -d 92.92.1.100 --dport 23 -j ACCEPT
>
> Or
> Iptables -A PREROUTING -s 172.19.92.100 -d 192.19.93.100
> --dport 23 - j DNAT --to-destination 92.92.1.100:23
You have omitted to list the FORWARDing rule which is needed with the second
example of the PREROUTING rule:
iptables -A FORWARD -i eth0 -o eth1 -d 92.92.1.100 -j ACCEPT
(Following the style you have outlined with the differences between the two
PREROUTING rules).
In other words, you always need a PREROUTING rule, and a FORWARD rule, for
packets to get through the firewall and reach the intended machine.
As for my opinion as to which is better - I prefer the one which is easier
(for you) to understand. Firewall maintenance is more important in almost
all cases than ultimate efficiency of a ruleset, achieved by shaving a test
here and there off the rules in case it takes up another CPU cycle or two.
In general that means I favour fully explicit rules - both for clarity and
security. If you only intend to allow packets to TCP, port 23 (although I
cannot imagine why you want to allow anything at all to that particular
port....) and you want those packets to be allowed only from a specific IP
address, going through the firewall in one particular direction, then make
this clear in both the rules which are needed:
iptables -A PREROUTING -t nat -p tcp --dport 23 -i eth0 -s 172.19.92.100 -d
192.19.93.100 -j DNAT --to 92.92.1.100
iptables -A FORWARD -p tcp --dport 23 -i eth0 -o eth1 -s 172.19.92.100 -d
92.92.1.100 -j ACCEPT
If you find the duplication of information less clear, then simply it so that
you are happy with the rules (and they still provide the security you
require). So long as you don't completely omit the source address (for
example), so that packets get accepted from anywhere, then you should use the
rules you will find easiest to understand in three months' time....
Regards,
Antony.
--
"Reports that say that something hasn't happened are always interesting to me,
because as we know, there are known knowns; there are things we know we know.
We also know there are known unknowns; that is to say we know there are some
things we do not know. But there are also unknown unknowns - the ones we
don't know we don't know."
- Donald Rumsfeld, US Secretary of Defence
Please reply to the list;
please don't CC me.
