Hi I have a question about web server in dmz. I have applied rules to do public IP <-> private IP mapping. For the web in dmz, I would only allow tcp port 80 to go to the web server in the dmz. I use default DROP policy, so should permit tcp port 80 in the INPUT chain or the FORWARD chain? Also should I use stateful inspection (NEW, RELATED, ESTABLISHED) in both chain or only in INPUT chain? version 1: iptables -P INPUT drop iptables -P FORWARD drop iptables -A INPUT -i $EXT -d $HTTP_INET_IP -p --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A PREROUTING -i $EXT -d $HTTP_INET_IP --j DNAT --to $DMZ_HTTP_IP iptables -t nat -A POSTROUTING -o $EXT -s $DMZ_HTTP_IP --j SNAT --to $HTTP_INET_IP iptables -A FORWARD -i $EXT -o $DMZ_IF -d $DMZ_HTTP_IP -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT version 2: iptables -P INPUT drop iptables -P FORWARD drop iptables -A INPUT -i $EXT -d $HTTP_INET_IP -p --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A PREROUTING -i $EXT -d $HTTP_INET_IP --j DNAT --to $DMZ_HTTP_IP iptables -t nat -A POSTROUTING -o $EXT -s $DMZ_HTTP_IP --j SNAT --to $HTTP_INET_IP iptables -A FORWARD -i $EXT -o $DMZ_IF -d $DMZ_HTTP_IP -p tcp --dport 80 -j ACCEPT _________________________________________________________ 必殺技、飲歌、小星星... 浪漫鈴聲 情心連繫 http://us.rd.yahoo.com/evt=22281/*http://ringtone.yahoo.com.hk/
