[Firehol-support] DNAT, routing, interfaces

Costa Tsaousis costa at tsaousis.gr
Sun Feb 13 18:09:48 GMT 2005


Almost all "optional rule paramaters" (i.e. src, dst, proto, sport, dport,
etc) accept multiple values, if you seperate them with spaces and enclose
the whole list in quotes.

Costa

> Thanx - I'm starting to understand.  Can I pass multiple port
> ranges/types to the NAT helpers, or do I need to have multiple lines?
>
> Costa Tsaousis wrote:
>
>>Hi Daniel,
>>
>>DNAT and router are needed.
>>
>>DNAT is only "re-writing" the packets. It does not allow or deny
>> anything.
>>It just manipulates traffic.
>>
>>Router is only about traffic passing through the firewall host. So if you
>>DNAT a packet that was originaly targeting the firewall host, it will now
>>just pass-through the firewall host.
>>
>>Interface is only about traffic REALLY targeting to or originating from
>>the firewall host itself.
>>
>>At the packet filtering level, iptables matches what will REALLY happen
>>(after all DNAT and before any SNAT manipulation).
>>
>>Costa
>>
>>
>>
>>>If I want to redirect a request from the Internet to an internal host,
>>>which of the following lines do I need?  I'm still trying to understand
>>>the differences.
>>>
>>>dnat to "${BASTION_IP}" inface "${AMFESEXT_IF}" dst "${AMFESEXT_IP}"
>>>proto tcp dport 80 log "forwarding http"
>>>
>>>interface "${AMFESEXT_IF}" internet src not "${UNROUTABLE_IPS}
>>>${AMFESLAN_LAN}" dst "${AMFESEXT_IP}"
>>>        server http accept
>>>
>>>router internet2lan inface "${AMFESEXT_IF}" outface "${AMFESLAN_IF}"
>>>        protection strong 100/sec 50
>>>        server http accept
>>>
>>>Daniel
>>>
>>>
>>>
> --
> Daniel
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>






More information about the Firehol-support mailing list