[CentOS] A little iptables help
Rodrigo Barbosa
rodrigob at suespammers.org
Thu Sep 29 15:41:27 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, Sep 29, 2005 at 09:21:40AM -0500, Aleksandar Milivojevic wrote:
> >>>I did this successfully providing external SSH access to a collection
> >>>of hosts on a private network. However for this to work, the hosts on
> >>>the private net also need to be doing SNAT back out through the
> >>>firewall.
> >>
> >>Unless you are doing something funky, SNAT is not needed. All he needs
> >>is DNAT.
> >>Netfilter should take care of returning packets automagically (unless, as
> >>I
> >>said, you are doing something funky and confusing Netfilter with it).
> >
> >If you have a RELATED,ESTABLISHED matching rule only.
>
> Somebody will probably correct me if I'm wrong, but I think restriction is
> as
> long as you have connection tracking module loaded. And you will have it as
> soon as you call any of NAT targets (iptable_nat module depends on
> ip_conntrack
> module). So you don't have to have any state related rules at all.
If your default rule for the related chain is DROP, then you do need
the state rules.
[]s
- --
Rodrigo Barbosa <rodrigob at suespammers.org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDPAsnpdyWzQ5b5ckRAh1bAKCNeRJonIkfcsrn+BXSKRFeVdSciwCfSwUc
GzClzLnsyLteboKVQdSbJi0=
=r2FG
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list