[CentOS] Iptables masq traffic limiting
Robert Spangler
mlists at zoominternet.net
Mon Sep 1 05:29:38 UTC 2008
On Sunday 31 August 2008 22:31, Joseph L. Casale wrote:
> >We should be talking live. Why don't your join the #centos-social on
> > freenode so we can chat real time?
>
> Robert,
> Just got back from my trip and reading that Tutorial, it went on to state
> what I now find to be two distinct opposite thoughts. Its says at
> http://iptables-tutorial.frozentux.net/chunkyhtml/c962.html that you
> shouldn't filter in the NAT Postrouting chain as some streams of packets
> only have their first packet hit the chain and everything else is
> redirected hence the possibility exists that some packets can miss the
> rule.
>
> It seems the Filter Forward chain is the safest place to limit what gets
> masq'ed so internal clients could only have say port 80/443 but no ftp
> access as an example.
That is correct. The only thing that should hit the NAT chain is what you
have already decided should be allowed out.
--
Regards
Robert
It is not just an adventure.
It is my job!!
Linux User #296285
http://counter.li.org
More information about the CentOS
mailing list