[CentOS] Iptables masq traffic limiting

Mon Sep 1 02:31:52 UTC 2008
Joseph L. Casale <JCasale at activenetwerx.com>

>We should be talking live.  Why don't your join the #centos-social on freenode
>so we can chat real time?

Just got back from my trip and reading that Tutorial, it went on to state
what I now find to be two distinct opposite thoughts. Its says at
http://iptables-tutorial.frozentux.net/chunkyhtml/c962.html that you shouldn't
filter in the NAT Postrouting chain as some streams of packets only have their
first packet hit the chain and everything else is redirected hence the possibility
exists that some packets can miss the rule.

It seems the Filter Forward chain is the safest place to limit what gets masq'ed
so internal clients could only have say port 80/443 but no ftp access as an example.

What are your thoughts in this?