-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, Sep 29, 2005 at 09:21:40AM -0500, Aleksandar Milivojevic wrote:
I did this successfully providing external SSH access to a collection of hosts on a private network. However for this to work, the hosts on the private net also need to be doing SNAT back out through the firewall.
Unless you are doing something funky, SNAT is not needed. All he needs is DNAT. Netfilter should take care of returning packets automagically (unless, as I said, you are doing something funky and confusing Netfilter with it).
If you have a RELATED,ESTABLISHED matching rule only.
Somebody will probably correct me if I'm wrong, but I think restriction is as long as you have connection tracking module loaded. And you will have it as soon as you call any of NAT targets (iptable_nat module depends on ip_conntrack module). So you don't have to have any state related rules at all.
If your default rule for the related chain is DROP, then you do need the state rules.
[]s
- -- Rodrigo Barbosa rodrigob@suespammers.org "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)