-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
vovcia@vovcia.one.pl wrote:
On Mon, Jun 20, 2005 at 08:19:46PM +0200, Christophe Vandeplas wrote:
I applied these nice rules, and it works like a charm...except that it
_always_ forwards the port, something I do not want.
$IPTABLES -t nat -A PREROUTING -p tcp -i $INTIF -d $UNIVERSE --dport 80
- -j DNAT --to $INTIP:80
$IPTABLES -A FORWARD -p tcp -i $INTIF -o $INTIF -d $INTIP --dport 80 -m
state --state NEW -j ACCEPT
PREROUTING chain is executed BEFORE FORWARD.
If You want to allow some clients call something like
iptables -t nat -I PREROUTING -p tcp -i $INTIF -d $UNIVERSE --dport 80
-j ALLOW
Then packet will be allowed in PREROUTING chain and will go straight to
FORWARD.
hmm...
indeed with the -s option this should help
(I think i'll even put it in another chain to have a clear separation of
the static part of the firewall and the dynamic part.)
(so just clearing the chains if there are problems could be easier than
to restart the whole firewall)
unfortunately it's once more an extra load on the gateway, but i'll have
to live with that.
All that have send me an mail & all that were planning to send one :-)
Thanks for the answers
Greets
- --
- -------------------------------------
Christophe 'ElCascador' Vandeplas
GSM: +32 (0)486/64.10.33
email: christophe(at)vandeplas(dot)com
http://www.vandeplas.com
GnuPG:1024D/14913897: 66BD A9EB 0357 D80F 20D4 D698 3B2B E562 1491 3897
- -------------------------------------
*** PLEASE ***
"Never send mass-mails/forward to this email address.
Please add the email-address to the BCC field (Blind Carbon Copy)
or send the mail separately to me."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCt+PoOyvlYhSROJcRArsoAJ9Mum7txfM4j3pZFwL9WA5oPCMJywCfSYOG
j7k5pm+ZhTlTi0TWIX8uUTQ=
=yvRR
-----END PGP SIGNATURE-----
