well at the moment mo FORWARD table blocks a few virus ports and protects a few of my on campus servers. otherwise has a blanket Accept at the bottom, so ime not perventing outside connections there. but they dont seem to be working across the netmap. should netmap pervent outside connections or have I broken it somehow. On Wed, 8 Feb 2006, John A. Sullivan III wrote: > On Wed, 2006-02-08 at 08:35 -0500, Stephen Beck wrote: > > I have several dorm firewalls with nearly 250 users behind each. > > I nat the inside ip's using netmap. this has been up and running for > > 6 months and for the inside users its working fine. for the most part > > I dont want connections orginating from the outside and netmap seems > > to be perventing this. However I now have an application that needs to > > be able to orginate a stream from the outside to any inside > > ip( CopySense ). > > > > ime really not shure: > > if netmap alone should block incomming connections ? > > how to go about allowing them? > > > > from what i see the folling is a start: > > existing netmap lines on one router: > > > > Chain POSTROUTING (policy ACCEPT 6 packets, 300 bytes) > > 362 20370 NETMAP all -- * * 10.0.20.0/24 > > 0.0.0.0/0 205.133.141.0/24 > > 75 4208 NETMAP all -- * * 10.0.21.0/25 > > 0.0.0.0/0 205.133.140.0/25 > > 223 10925 NETMAP all -- * * 10.0.22.0/25 > > 0.0.0.0/0 205.133.140.128/25 > > > > to allow the outside connection for my laptop this works: > > > > Chain PREROUTING (policy ACCEPT 1620 packets, 92093 bytes) > > target prot opt in out source > > destination > > DNAT all -- * * 0.0.0.0/0 > > 205.133.141.42 to:10.0.20.42 > > > > ile tighten up that rule once i get it working ;-) > > > > however I neet to allow that rule to work for all 255 ip's > > and i cant seem to get the syntax right ??? > > > > > > Stephen Beck, Marietta College, 740-376-4366 > > > You've hit upon an important distinction -- the nat table does not > handle access control. That will be handled by your filter table and, > in this case, the FORWARD chain. > > I would suggest a FORWARD policy of DROP and only allow outbound traffic > and inbound from the specific socket you want to allow. > > If you need more information on using nat and filter, Oskar Andreasson > has a great tutorial at > http://iptables-tutorial.frozentux.net/iptables-tutorial.html and there > are some slightly dated training slide shows in the training section of > the ISCS network security management project at > http://iscs.sourceforge.net. Hope this helps - John > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan@xxxxxxxxxxxxxxxxxxx > > If you would like to participate in the development of an open source > enterprise class network security management system, please visit > http://iscs.sourceforge.net >