[CentOS] Iptables masq traffic limiting

Mon Sep 1 05:29:38 UTC 2008
Robert Spangler <mlists at zoominternet.net>

On Sunday 31 August 2008 22:31, Joseph L. Casale wrote:

>  >We should be talking live.  Why don't your join the #centos-social on
>  > freenode so we can chat real time?
>
>  Robert,
>  Just got back from my trip and reading that Tutorial, it went on to state
>  what I now find to be two distinct opposite thoughts. Its says at
>  http://iptables-tutorial.frozentux.net/chunkyhtml/c962.html that you
> shouldn't filter in the NAT Postrouting chain as some streams of packets
> only have their first packet hit the chain and everything else is
> redirected hence the possibility exists that some packets can miss the
> rule.
>
>  It seems the Filter Forward chain is the safest place to limit what gets
> masq'ed so internal clients could only have say port 80/443 but no ftp
> access as an example.

That is correct.  The only thing that should hit the NAT chain is what you 
have already decided should be allowed out.  


-- 

Regards
Robert

It is not just an adventure.
It is my job!!

Linux User #296285
http://counter.li.org