-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Sep 28, 2005 at 09:09:27AM -0700, Kirk Bocek wrote: > > > Rodrigo Barbosa wrote: > > > >Humm, that should be relatively simple: > > > >iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j ACCEPT > >iptables -t nat -A PREROUTING -p tcp --destination-port 8000 -j DNAT > >--to-destination ${DESTINATION_SERVER} > > > >iptables -A FORWARD -p tcp --destination-port 8000 -d > >${DESTINATION_SERVER} -s ${SOURCE1} -j ACCEPT > >iptables -A FORWARD -p tcp --destination-port 8000 -d > >${DESTINATION_SERVER} -s ${SOURCE2} -j ACCEPT > >iptables -A FORWARD -p tcp --destination-port 8000 -d > >${DESTINATION_SERVER} -s ${SOURCE3} -j ACCEPT > >iptables -A FORWARD -p tcp --destination-port 8000 -d > >${DESTINATION_SERVER} -s ${SOURCE4} -j ACCEPT > >iptables -A FORWARD -p tcp --destination-port 8000 -d > >${DESTINATION_SERVER} -j REJECT --reject-with tcp-reset > > > > Rodrigo, wouldn't the port filtering take place in the INPUT chain? > > iptables -P INPUT DROP > iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT My bad. I started writing thinking it would have to redirect port 80 too, then noticed my mistake. After that, I forgot to move it to the INPUT chain. []s - -- Rodrigo Barbosa <rodrigob at suespammers.org> "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDO0cwpdyWzQ5b5ckRAnJRAJ4zVWlovWJyUfbl6Kj1souw5dDzfgCfXVPg GXFr9h5h8MIGEO11Et6z1I0= =2sp/ -----END PGP SIGNATURE-----