[CentOS] A little iptables help

Aleksandar Milivojevic alex at milivojevic.org
Thu Sep 29 14:21:40 UTC 2005

Quoting Rodrigo Barbosa <rodrigob at suespammers.org>:

> On Wed, Sep 28, 2005 at 11:46:50AM -0500, Aleksandar Milivojevic wrote:
>> Quoting Kirk Bocek <t004 at kbocek.com>:
>> >I did this successfully providing external SSH access to a collection
>> >of hosts on a private network. However for this to work, the hosts on
>> >the private net also need to be doing SNAT back out through the
>> >firewall.
>> Unless you are doing something funky, SNAT is not needed.  All he needs
>> is DNAT.
>> Netfilter should take care of returning packets automagically (unless, as I
>> said, you are doing something funky and confusing Netfilter with it).
> If you have a RELATED,ESTABLISHED matching rule only.

Somebody will probably correct me if I'm wrong, but I think restriction is as
long as you have connection tracking module loaded.  And you will have it as
soon as you call any of NAT targets (iptable_nat module depends on 
module).  So you don't have to have any state related rules at all.

This message was sent using IMP, the Internet Messaging Program.

More information about the CentOS mailing list