[Firehol-support] DNAT, routing, interfaces
Daniel L. Miller
dmiller at amfes.com
Mon Feb 14 15:23:37 CET 2005
Neat. I see how to define multiple ports for one protocol -
dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
proto tcp dport "80 90 100" log "forwarding something"
How can I write a DNAT line that has both TCP and UDP?
Costa Tsaousis wrote:
>Almost all "optional rule paramaters" (i.e. src, dst, proto, sport, dport,
>etc) accept multiple values, if you seperate them with spaces and enclose
>the whole list in quotes.
>
>Costa
>
>
>
>>Thanx - I'm starting to understand. Can I pass multiple port
>>ranges/types to the NAT helpers, or do I need to have multiple lines?
>>
>>Costa Tsaousis wrote:
>>
>>
>>
>>>Hi Daniel,
>>>
>>>DNAT and router are needed.
>>>
>>>DNAT is only "re-writing" the packets. It does not allow or deny
>>>anything.
>>>It just manipulates traffic.
>>>
>>>Router is only about traffic passing through the firewall host. So if you
>>>DNAT a packet that was originaly targeting the firewall host, it will now
>>>just pass-through the firewall host.
>>>
>>>Interface is only about traffic REALLY targeting to or originating from
>>>the firewall host itself.
>>>
>>>At the packet filtering level, iptables matches what will REALLY happen
>>>(after all DNAT and before any SNAT manipulation).
>>>
>>>Costa
>>>
>>>
>>>
>>>
>>>
>>>>If I want to redirect a request from the Internet to an internal host,
>>>>which of the following lines do I need? I'm still trying to understand
>>>>the differences.
>>>>
>>>>dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
>>>>proto tcp dport 80 log "forwarding http"
>>>>
>>>>interface "${AMFESEXT_IF}" internet src not "${UNROUTABLE_IPS}
>>>>${AMFESLAN_LAN}" dst "${AMFESEXT_IP}"
>>>> server http accept
>>>>
>>>>router internet2lan inface "${AMFESEXT_IF}" outface "${AMFESLAN_IF}"
>>>> protection strong 100/sec 50
>>>> server http accept
>>>>
>>>>Daniel
>>>>
>>>>
>>>>
>>>>
>>>>
>>--
>>Daniel
>>
>>
>>-------------------------------------------------------
>>SF email is sponsored by - The IT Product Guide
>>Read honest & candid reviews on hundreds of IT Products from real users.
>>Discover which products truly live up to the hype. Start reading now.
>>http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>>_______________________________________________
>>Firehol-support mailing list
>>Firehol-support at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/firehol-support
>>
>>
>>
>
>
>
>
--
AMFES <http://www.amfes.com/>
Get Firefox! <http://www.spreadfirefox.com/?q=affiliates&id=39399&t=61>
Get Thunderbird <http://www.mozilla.org/products/thunderbird/> Linux!
<http://www.linux.org/>
Daniel Miller, VP – Engineering
AM Fire & Electronic Services, Inc. (AMFES)
4655 Quality Court, Suite E Las Vegas, NV 89103
www.amfes.com
<http://www.amfes.com/>(702) 312-5276
(702) 312-5279 fax
dmiller at amfes.com <mailto:dmiller at amfes.com>
Cost-effective, code-compliant, value-engineered solutions for fire
alarm, security, and tele/data.
Mircom
<http://www.amfes.com/Products/product-mircom.htm>
Paradox <http://www.amfes.com/Products/product-paradox.htm> Molex
<http://www.amfes.com/Products/product-molex.htm>
More information about the Firehol-support
mailing list