Quoting Rodrigo Barbosa rodrigob@suespammers.org:
On Wed, Sep 28, 2005 at 11:46:50AM -0500, Aleksandar Milivojevic wrote:
Quoting Kirk Bocek t004@kbocek.com:
I did this successfully providing external SSH access to a collection of hosts on a private network. However for this to work, the hosts on the private net also need to be doing SNAT back out through the firewall.
Unless you are doing something funky, SNAT is not needed. All he needs is DNAT. Netfilter should take care of returning packets automagically (unless, as I said, you are doing something funky and confusing Netfilter with it).
If you have a RELATED,ESTABLISHED matching rule only.
Somebody will probably correct me if I'm wrong, but I think restriction is as long as you have connection tracking module loaded. And you will have it as soon as you call any of NAT targets (iptable_nat module depends on ip_conntrack module). So you don't have to have any state related rules at all.
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.