document contains no data
ron.peterson at yellowbank.com
ron.peterson at yellowbank.com
Sun Aug 17 09:18:31 EDT 2003
On Sat, Aug 16, 2003 at 09:40:41AM -0400, Bill Horne wrote:
> I'm not sure if this is the source of your problem, but I'll mention it just
> in case:
>
> The Policy (-P) options in your iptables set the default to "ACCEPT", so any
> screening rules which don't specifically deny access will have no effect.
My iptables rules are actually more complicated, and have a default DROP
policy for all built-in chains. However, I've also tested the (simpler)
posted scenario with the same results.
> Also, I don't understand if you're DNATing traffic to the same or a
> different machine.
Could be different, but happens to be the same.
> If to a different machine, note that there are no rules in the FORWARD
> chain, but that nat is dependent on FORWARD. The INPUT and OUTPUT
> chains don't affect forwarded traffic, so if you want to limit your
> DNAT traffic to ESTABLISHED,RELATED, then you must put that rule in
> the FORWARD chain.
Even though I'm going to the same machine, I believe in this case the
FORWARD rule chain would still apply. The traffic is destined to go
beyond the gateway, but the traffic is being DNAT'd.
I know that masquerading does connection tracking automatically (it
won't possibly work otherwise). However, perhaps this doesn't apply to
all forms of NAT. I'll look into that.
However, the weird thing is that it /works/. Mostly.
--
Ron Peterson -o)
87 Taylor Street /\\
Granby, MA 01033 _\_v
https://www.yellowbank.com/ ----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.blu.org/pipermail/discuss/attachments/20030817/f06a76bb/attachment.sig>
More information about the Discuss
mailing list