[Cialug] iptables question
Zachary Kotlarek
zach at kotlarek.com
Thu Dec 15 14:08:36 CST 2011
On Dec 15, 2011, at 8:38 AM, Dave Weis wrote:
>
> I’ve got a Linux machine set up to do SNAT and DNAT between external IP’s and internal machines. For example x.x.x.219 gets translated to 192.168.115.11. It works fine with something like this:
> iptables –A PREROUTING –d x.x.x.219 –i eth0 –j DNAT –to-destination 192.168.115.11
> iptables –A POSTROUTING –s 192.168.115.11 –j SNAT –to-source x.x.x.219
>
> The problem is that I only want a few ports to be exposed through and the filtering I’m doing in the forwarding process isn’t filtering.
> Iptables –A FORWARD –d x.x.x.219 –p tcp –dport 2200 –j ACCEPT
> Iptables –A FORWARD –d x.x.x.219 –j DROP
>
> Everything still gets through to the inside machine. What am I doing wrong?
You're using the wrong address in the FORWARD table.
NAT:PREROUTING changes the destination address due to your DNAT rule (that's what you told it to do after all). After that change the FORWARD table sees the packets bound to 192.168.115.11.
Zach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
URL: <http://cialug.org/pipermail/cialug/attachments/20111215/b5c1d605/attachment.bin>
More information about the Cialug
mailing list