[CentOS] A little iptables help

Thu Sep 29 14:21:40 UTC 2005
Aleksandar Milivojevic <alex at milivojevic.org>

Quoting Rodrigo Barbosa <rodrigob at suespammers.org>:

> On Wed, Sep 28, 2005 at 11:46:50AM -0500, Aleksandar Milivojevic wrote:
>> Quoting Kirk Bocek <t004 at kbocek.com>:
>>
>> >I did this successfully providing external SSH access to a collection
>> >of hosts on a private network. However for this to work, the hosts on
>> >the private net also need to be doing SNAT back out through the
>> >firewall.
>>
>> Unless you are doing something funky, SNAT is not needed.  All he needs
>> is DNAT.
>> Netfilter should take care of returning packets automagically (unless, as I
>> said, you are doing something funky and confusing Netfilter with it).
>
> If you have a RELATED,ESTABLISHED matching rule only.

Somebody will probably correct me if I'm wrong, but I think restriction is as
long as you have connection tracking module loaded.  And you will have it as
soon as you call any of NAT targets (iptable_nat module depends on 
ip_conntrack
module).  So you don't have to have any state related rules at all.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.