>> On Wed June 24 2009 wrote Rob Sterenborg: >>> $ipt -P FORWARD DROP >>> $ipt -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT >>> $ipt -A FORWARD -m state --state NEW -p tcp --dport 22 -j ACCEPT >>> >> Watch out, that with these rules, you will allow any traffic to >> pass, that has destination port 22. Thus, the outside can contact >> you to port 22. And the inside can contact any host on the Internet >> on port 22. Yes, I didn't say the ruleset was perfect; it's just a starting point.. ;-) > No good then, i just want to allow traffic for ports defined by me, > for the NAT'd machines. So create more restrictive rules. Use -s and/or -d, etc. Think about what you specifically want to allow and drop (or reject) everything else. Your posts only mention port 22 so that's what my example does. > Can you guys help on this? Sorry but i really have no idea, with > the PREROUTING it was easy for me. We don't know what you really want; there are no details so it's impossible to say what exactly you should do. If you tell us what you want you'll probably get a more detailed answer. However, this is quite basic stuff which really is covered in the IPTables Tutorial. -- Rob -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
