Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

document contains no data



On Sat, Aug 16, 2003 at 09:40:41AM -0400, Bill Horne wrote:

> I'm not sure if this is the source of your problem, but I'll mention it just
> in case:
> 
> The Policy (-P) options in your iptables set the default to "ACCEPT", so any
> screening rules which don't specifically deny access will have no effect.

My iptables rules are actually more complicated, and have a default DROP
policy for all built-in chains.  However, I've also tested the (simpler)
posted scenario with the same results.

> Also, I don't understand if you're DNATing traffic to the same or a
> different machine.

Could be different, but happens to be the same.

> If to a different machine, note that there are no rules in the FORWARD
> chain, but that nat is dependent on FORWARD. The INPUT and OUTPUT
> chains don't affect forwarded traffic, so if you want to limit your
> DNAT traffic to ESTABLISHED,RELATED, then you must put that rule in
> the FORWARD chain.

Even though I'm going to the same machine, I believe in this case the
FORWARD rule chain would still apply.  The traffic is destined to go
beyond the gateway, but the traffic is being DNAT'd.

I know that masquerading does connection tracking automatically (it
won't possibly work otherwise).  However, perhaps this doesn't apply to
all forms of NAT.  I'll look into that.

However, the weird thing is that it /works/.  Mostly.

-- 
Ron Peterson                   -o)
87 Taylor Street               /\\
Granby, MA  01033             _\_v
https://www.yellowbank.com/   ---- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.blu.org/pipermail/discuss/attachments/20030817/f06a76bb/attachment.sig>



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org