Firewall Rules
Rashkae
ubuntu at tigershaunt.com
Thu Aug 23 14:30:44 UTC 2007
Victor Padro wrote:
> thank you Peter for the info,
> anyway, this should be the right way to do it, isn't?
>
> $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
> 10.0.0.2
> $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
> 10.0.0.2
> $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to
> 10.0.0.2
> $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
> 10.0.0.3 <http://10.0.0.2/>
> $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
> 10.0.0.3 <http://10.0.0.2/>
> $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to
> 10.0.0.3 <http://10.0.0.2/>
> $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
> 10.0.0.4 <http://10.0.0.2/>
> $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
> 10.0.0.4 <http://10.0.0.2/>
> $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to
> 10.0.0.4 <http://10.0.0.2/>
>
No, this is not correct. Incoming packets match one rule only, after
which, they stop going down the chain. For example.. all your incoming
port 80 packets will hit the first rule, and will therefore never get
directed to 10.0.0.3 (and what's with the <http://10.0.0.2>? I can't
even figure out what you're thinking there.)
According to the IPTABLES man page, the correct way to do this is to
specify a range of IP addresses in your --to-destination .
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
--to-destination 10.0.0.2-10.0.0.4
However, according to the same man page, this is no longer supported
since kernel 2.6.10, and I haven't seen any mention anywhere (including
www.netfilter.org) on how else one is supposed to do this. Maybe
someone could ask Rusty?
More information about the ubuntu-users
mailing list