[Firehol-support] DNAT, routing, interfaces
Daniel L. Miller
dmiller at amfes.com
Sun Feb 13 14:48:49 GMT 2005
Thanx - I'm starting to understand. Can I pass multiple port
ranges/types to the NAT helpers, or do I need to have multiple lines?
Costa Tsaousis wrote:
>Hi Daniel,
>
>DNAT and router are needed.
>
>DNAT is only "re-writing" the packets. It does not allow or deny anything.
>It just manipulates traffic.
>
>Router is only about traffic passing through the firewall host. So if you
>DNAT a packet that was originaly targeting the firewall host, it will now
>just pass-through the firewall host.
>
>Interface is only about traffic REALLY targeting to or originating from
>the firewall host itself.
>
>At the packet filtering level, iptables matches what will REALLY happen
>(after all DNAT and before any SNAT manipulation).
>
>Costa
>
>
>
>>If I want to redirect a request from the Internet to an internal host,
>>which of the following lines do I need? I'm still trying to understand
>>the differences.
>>
>>dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
>>proto tcp dport 80 log "forwarding http"
>>
>>interface "${AMFESEXT_IF}" internet src not "${UNROUTABLE_IPS}
>>${AMFESLAN_LAN}" dst "${AMFESEXT_IP}"
>> server http accept
>>
>>router internet2lan inface "${AMFESEXT_IF}" outface "${AMFESLAN_IF}"
>> protection strong 100/sec 50
>> server http accept
>>
>>Daniel
>>
>>
>>
--
Daniel
More information about the Firehol-support
mailing list