On Monday 26 July 2004 2:20 pm, FrÃdÃric Gonzatti wrote:
> Thanks Antony,
>
> According to your explanations I think I 'd rather to include the following
> line in my iptable script :
> iptables -A POSTROUTING -t nat -o eth2 -j SNAT --to 62.160.X.Y
>
> But to be sure : I've got two computers on my DMZ which have IP included in
> 192.168.2.0/255.255.255.0 and other computers on my LAN which have IP
> included in 172.16.0.0/255.255.0.0 and static public IP on my WAN
> Firewall. So the best way is to use the line you advice me ?
Yes.
> Where on my script do I have to add this line ? At the beginning, just
> after a modprobe iptable_nat line ?
I like to put it just before or just after the FORWARD rules, because it's for
packets which are being routed through the firewall.
> Last question : Do you see some clumsy things or errors in my script ?
> Unfortunately I think there are .... ;-(
You have approximately twice as many rules as I would expect to see - you are
allowing each individual protocol (defined by its source port)n in an
ESTABLISHED rule; most people would just use one ESTABLISHED rule to allow
all reply packets, no matter which protocol.
Also you have specific rules for FTP data connection on port 20 - better to
just leave these out and handle the packets as RELATED to the control
connection on port 21.
I prefer a simple ruleset if possible because it's easier to work with.
Regards,
Antony.
--
The difference between theory and practice is that in theory there is no
difference, whereas in practice there is.
Please reply to the list;
please don't CC me.
