Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Sat, Aug 16, 2003 at 09:40:41AM -0400, Bill Horne wrote: > I'm not sure if this is the source of your problem, but I'll mention it just > in case: > > The Policy (-P) options in your iptables set the default to "ACCEPT", so any > screening rules which don't specifically deny access will have no effect. My iptables rules are actually more complicated, and have a default DROP policy for all built-in chains. However, I've also tested the (simpler) posted scenario with the same results. > Also, I don't understand if you're DNATing traffic to the same or a > different machine. Could be different, but happens to be the same. > If to a different machine, note that there are no rules in the FORWARD > chain, but that nat is dependent on FORWARD. The INPUT and OUTPUT > chains don't affect forwarded traffic, so if you want to limit your > DNAT traffic to ESTABLISHED,RELATED, then you must put that rule in > the FORWARD chain. Even though I'm going to the same machine, I believe in this case the FORWARD rule chain would still apply. The traffic is destined to go beyond the gateway, but the traffic is being DNAT'd. I know that masquerading does connection tracking automatically (it won't possibly work otherwise). However, perhaps this doesn't apply to all forms of NAT. I'll look into that. However, the weird thing is that it /works/. Mostly. -- Ron Peterson -o) 87 Taylor Street /\\ Granby, MA 01033 _\_v https://www.yellowbank.com/ ---- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available URL: <http://lists.blu.org/pipermail/discuss/attachments/20030817/f06a76bb/attachment.sig>
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |