[CentOS] A little iptables help
Aleksandar Milivojevic
alex at milivojevic.org
Thu Sep 29 14:21:40 UTC 2005
Quoting Rodrigo Barbosa <rodrigob at suespammers.org>:
> On Wed, Sep 28, 2005 at 11:46:50AM -0500, Aleksandar Milivojevic wrote:
>> Quoting Kirk Bocek <t004 at kbocek.com>:
>>
>> >I did this successfully providing external SSH access to a collection
>> >of hosts on a private network. However for this to work, the hosts on
>> >the private net also need to be doing SNAT back out through the
>> >firewall.
>>
>> Unless you are doing something funky, SNAT is not needed. All he needs
>> is DNAT.
>> Netfilter should take care of returning packets automagically (unless, as I
>> said, you are doing something funky and confusing Netfilter with it).
>
> If you have a RELATED,ESTABLISHED matching rule only.
Somebody will probably correct me if I'm wrong, but I think restriction is as
long as you have connection tracking module loaded. And you will have it as
soon as you call any of NAT targets (iptable_nat module depends on
ip_conntrack
module). So you don't have to have any state related rules at all.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the CentOS
mailing list