[Firehol-support] DNAT, routing, interfaces

Daniel L. Miller dmiller at amfes.com
Sun Feb 13 14:48:49 GMT 2005


Thanx - I'm starting to understand.  Can I pass multiple port 
ranges/types to the NAT helpers, or do I need to have multiple lines?

Costa Tsaousis wrote:

>Hi Daniel,
>
>DNAT and router are needed.
>
>DNAT is only "re-writing" the packets. It does not allow or deny anything.
>It just manipulates traffic.
>
>Router is only about traffic passing through the firewall host. So if you
>DNAT a packet that was originaly targeting the firewall host, it will now
>just pass-through the firewall host.
>
>Interface is only about traffic REALLY targeting to or originating from
>the firewall host itself.
>
>At the packet filtering level, iptables matches what will REALLY happen
>(after all DNAT and before any SNAT manipulation).
>
>Costa
>
>  
>
>>If I want to redirect a request from the Internet to an internal host,
>>which of the following lines do I need?  I'm still trying to understand
>>the differences.
>>
>>dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
>>proto tcp dport 80 log "forwarding http"
>>
>>interface "${AMFESEXT_IF}" internet src not "${UNROUTABLE_IPS}
>>${AMFESLAN_LAN}" dst "${AMFESEXT_IP}"
>>        server http accept
>>
>>router internet2lan inface "${AMFESEXT_IF}" outface "${AMFESLAN_IF}"
>>        protection strong 100/sec 50
>>        server http accept
>>
>>Daniel
>>
>>    
>>
-- 
Daniel




More information about the Firehol-support mailing list