[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: Re: DNAT/MASQ Precedence
From: Katriel Traum <katriel () traum ! org ! il>
Date: 2003-01-31 12:50:39
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 31 January 2003 11:19, Athan wrote:
> On Fri, Jan 31, 2003 at 01:14:06PM +0000, Katriel Traum wrote:
> > Okay, sounds good, so say I want to save me a 2000 SNAT ports (I don't
> > think I'll have 2000 sockets open at the same time)
> > here's the ruleset I should use:
> >
> > iptables -A PREROUTING -i $INET_IF -p tcp --dport ! 60000:62000 -j DNAT \
> > - --to-destination $DMZ_IP
> > iptables -A PREROUTING -i $INET_IF -p udp --dport ! 60000:62000 -j DNAT \
> > - --to-destination $DMZ_IP
> >
> > iptables -A POSTROUTING -o $INET_IF -i $LAN_IF -j SNAT --to-source \
> > $INET_IP:60000-62000
>
> Looks good at first glance here.
>
> > as for ICMP, I didn't quite understand you. can you elaborate?
>
> For TCP to operate correctly you *NEED* some ICMP working. ICMP isn't
> just for ping! There are things like network, host and port
> unreachable. There's also things like Path MTU discovery which involves
> an ICMP message being sent back if a packet is too big for part of the
> route and has the Do not Fragment (DF) flag set.
> Basically not allowing ICMP in a blind fashion is NOT the way to do
> things. You probably just need to make sure you have the proper FORWARD
> rules (filter chain, it's the default so no -t) to allow both
> ESTABLISHED and RELATED. You can find these in any mention of SNAT in
> docs/howtos.
Ofcourse ICMP is important. I wan't going to leave it out.
The qiestion is will the rule:
iptables -A PREROUTING -i $INET_IF -p icmp --dport ! 60000:62000 -j DNAT \
- --to-destination $DMZ_IP
do it? and what about ICMP messages aimed back at the LAN?
This will all be acompanied with the apropriate -m state entries.
Katriel
>
> HTH,
>
> -Ath
- --
+katriel כתריאל+
pgp key: traum.org.il/gpg.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+Onz3DWy+Hv/461sRAphzAJ9ZBpO+lsHt2x468/Pwf4bmM/LJYACgioZ5
5E+0wiAx7l3IC0JuyetYGts=
=5J6o
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic