Re: Altering firewall rules to enable NAT Reflection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, Nov 8, 2008 at 8:00 AM, Grant Taylor <gtaylor@xxxxxxxxxxxxxxxxx> wrote:

> Try the above and see if things work.

Thanks for the replies todate!

I had a look thru the firewall rules that are created by the web
interface and have this in the /etc/firewall/portfw/iptablesportfw
file:

iptables -t nat -F PORTFW
iptables -t nat -F POSTPORTFW
iptables -F PORTFWACCESS
iptables -t nat -A PORTFW -d 192.168.2.2 -j DNAT -p tcp --dport 80
--to-destination 192.168.1.241:80
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.1.241 -p tcp
--dport 80 -j ALLOW
iptables -t nat -A PORTFW -d 192.168.2.2 -j DNAT -p tcp --dport 443
--to-destination 192.168.1.250:443
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.1.250 -p tcp
--dport 443 -j ALLOW
iptables -t nat -A PORTFW -d 192.168.2.2 -j DNAT -p tcp --dport 2222
--to-destination 192.168.1.241:22
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.1.241 -p tcp
--dport 22 -j ALLOW
iptables -t nat -A PORTFW -d 192.168.2.2 -j DNAT -p tcp --dport 2525
--to-destination 192.168.1.250:25
iptables -t filter -A PORTFWACCESS -s 210.xx.xx.xxx -d 192.168.1.250
-p tcp --dport 25 -j ALLOW
iptables -t nat -A PORTFW -d 192.168.2.2 -j DNAT -p tcp --dport 4125
--to-destination 192.168.1.250:4125
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.1.250 -p tcp
--dport 4125 -j ALLOW
iptables -t nat -A PORTFW -d 192.168.2.2 -j DNAT -p tcp --dport 20
--to-destination 192.168.1.241:20
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.1.241 -p tcp
--dport 20 -j ALLOW
iptables -t nat -A PORTFW -d 192.168.2.2 -j DNAT -p tcp --dport 21
--to-destination 192.168.1.241:21
iptables -t filter -A PORTFWACCESS -s 0/0 -d 192.168.1.241 -p tcp
--dport 21 -j ALLOW
iptables -t nat -A PORTFW -d 192.168.2.2 -j DNAT -p udp --dport 4569
--to-destination 192.168.1.247:4569
iptables -t filter -A PORTFWACCESS -s 202.xx.xx.xxx -d 192.168.1.247
-p udp --dport 4569 -j ALLOW

Which is close, but not the same as your example above... have i got
the right section here?

Simon
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux