El miÃ, 23-02-2005 a las 17:33 -0800, Rudi Starcevic escribiÃ: > Hi, > > I have www port-forwarding setup and running OK. > > However I wonder if they way I have configured it is not the most > optimal for speed and performance. > > I have a default policy of DROP with a total of about 30 rules. > > These rules below do my www port-forwarding, can you see if there is a > better way to do this ? > > # ENABLE FORWARDING / NAT / MASQUERADING > echo "1" > /proc/sys/net/ipv4/ip_forward > > # NAT Forwarding Setup > $IPTABLES --table nat --append POSTROUTING --out-interface $ETH0 -j > MASQUERADE The only thing I can say about your rules it's that if you know the firewall IP it's much better to use SNAT than MASQUERADE, because you gain some speed with it. > $IPTABLES -A FORWARD -i $ETH1 -j ACCEPT > $IPTABLES -A FORWARD -i $ETH0 -j ACCEPT > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > # http Port-Forwarding setup > $IPTABLES -t nat -A PREROUTING -i $ETH0 -p tcp --dport 80 -d $MEDIA1_IP > -j DNAT --to $MEDIA1_LO:80 The rule it's OK, I don't know how you can do it better to achieve more speed. > Many thanks, > Kind regards > Rudi Regards. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÃA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
