[CentOS] Iptables masq traffic limiting

Mon Sep 1 05:29:38 UTC 2008
Robert Spangler <mlists at zoominternet.net>

On Sunday 31 August 2008 22:31, Joseph L. Casale wrote:

>  >We should be talking live.  Why don't your join the #centos-social on
>  > freenode so we can chat real time?
>  Robert,
>  Just got back from my trip and reading that Tutorial, it went on to state
>  what I now find to be two distinct opposite thoughts. Its says at
>  http://iptables-tutorial.frozentux.net/chunkyhtml/c962.html that you
> shouldn't filter in the NAT Postrouting chain as some streams of packets
> only have their first packet hit the chain and everything else is
> redirected hence the possibility exists that some packets can miss the
> rule.
>  It seems the Filter Forward chain is the safest place to limit what gets
> masq'ed so internal clients could only have say port 80/443 but no ftp
> access as an example.

That is correct.  The only thing that should hit the NAT chain is what you 
have already decided should be allowed out.  



It is not just an adventure.
It is my job!!

Linux User #296285