[Firehol-support] DNAT, routing, interfaces

Costa Tsaousis costa at tsaousis.gr
Sun Feb 13 05:23:57 GMT 2005

Hi Daniel,

DNAT and router are needed.

DNAT is only "re-writing" the packets. It does not allow or deny anything.
It just manipulates traffic.

Router is only about traffic passing through the firewall host. So if you
DNAT a packet that was originaly targeting the firewall host, it will now
just pass-through the firewall host.

Interface is only about traffic REALLY targeting to or originating from
the firewall host itself.

At the packet filtering level, iptables matches what will REALLY happen
(after all DNAT and before any SNAT manipulation).


> If I want to redirect a request from the Internet to an internal host,
> which of the following lines do I need?  I'm still trying to understand
> the differences.
> dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
> proto tcp dport 80 log "forwarding http"
> interface "${AMFESEXT_IF}" internet src not "${UNROUTABLE_IPS}
>         server http accept
> router internet2lan inface "${AMFESEXT_IF}" outface "${AMFESLAN_IF}"
>         protection strong 100/sec 50
>         server http accept
> Daniel
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support

More information about the Firehol-support mailing list