Quoting Rodrigo Barbosa <rodrigob at suespammers.org>: > On Wed, Sep 28, 2005 at 11:46:50AM -0500, Aleksandar Milivojevic wrote: >> Quoting Kirk Bocek <t004 at kbocek.com>: >> >> >I did this successfully providing external SSH access to a collection >> >of hosts on a private network. However for this to work, the hosts on >> >the private net also need to be doing SNAT back out through the >> >firewall. >> >> Unless you are doing something funky, SNAT is not needed. All he needs >> is DNAT. >> Netfilter should take care of returning packets automagically (unless, as I >> said, you are doing something funky and confusing Netfilter with it). > > If you have a RELATED,ESTABLISHED matching rule only. Somebody will probably correct me if I'm wrong, but I think restriction is as long as you have connection tracking module loaded. And you will have it as soon as you call any of NAT targets (iptable_nat module depends on ip_conntrack module). So you don't have to have any state related rules at all. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.