Firewall Rules
Victor Padro
vpadro at gmail.com
Thu Aug 23 23:16:50 UTC 2007
Thank you Rashkae for your correction...
>>(and what's with the <http://10.0.0.2>? I can't
>>even figure out what you're thinking there.)
I don't know where that came from... :)
I'm still concerned about the way of doing this, I am trying out some
router/firewall distros that i found, ipcop and smoothwall.
and i think they could do the job, cos they are web GUI, so NAT rules can be
more easily stated, and such as other cool stuff, you should check them out,
neither way, Ubuntu is a great distro and I'll be reserching a little
bit more...maybe
shorewall.net and netfilter.org, i recently found this
article<http://ezine.daemonnews.org/200202/multiweb.html>, and it's
kinda what i want.
and back to the last email resolution these is the right way of doing DNAT
using an old kernel, isn't?
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
--to-destination 10.0.0.2-10.0.0.4
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT
--to-destination 10.0.0.2-10.0.0.4
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT
--to-destination 10.0.0.2-10.0.0.4
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT
--to-destination 10.0.0.2-10.0.0.4
and these would be ok under ubuntu 6.06 server, right?
/sbin/iptables -A FORWARD -d 10.0.0.2 -p tcp --dport 80 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -d 10.0.0.2 -j SNAT --to 10.0.0.1
if i want to add several entries, meaning several servers FORWARD and
POSTROUTING rules, how would be the right way?
thank you.
On 8/23/07, Rashkae <ubuntu at tigershaunt.com> wrote:
>
> Victor Padro wrote:
> > thank you Peter for the info,
> > anyway, this should be the right way to do it, isn't?
> >
> > $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
> > 10.0.0.2
> > $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
> > 10.0.0.2
> > $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to
> > 10.0.0.2
> > $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
> > 10.0.0.3 <http://10.0.0.2/>
> > $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
> > 10.0.0.3 <http://10.0.0.2/>
> > $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to
> > 10.0.0.3 <http://10.0.0.2/>
> > $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
> > 10.0.0.4 <http://10.0.0.2/>
> > $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to
> > 10.0.0.4 <http://10.0.0.2/>
> > $ /sbin/iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to
> > 10.0.0.4 <http://10.0.0.2/>
> >
>
> No, this is not correct. Incoming packets match one rule only, after
> which, they stop going down the chain. For example.. all your incoming
> port 80 packets will hit the first rule, and will therefore never get
> directed to 10.0.0.3 (and what's with the <http://10.0.0.2>? I can't
> even figure out what you're thinking there.)
>
> According to the IPTABLES man page, the correct way to do this is to
> specify a range of IP addresses in your --to-destination .
>
> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
> --to-destination 10.0.0.2-10.0.0.4
>
> However, according to the same man page, this is no longer supported
> since kernel 2.6.10, and I haven't seen any mention anywhere (including
> www.netfilter.org) on how else one is supposed to do this. Maybe
> someone could ask Rusty?
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070823/598b8906/attachment.html>
More information about the ubuntu-users
mailing list