Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.security > #515
| From | Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> |
|---|---|
| Newsgroups | comp.os.linux.security |
| Subject | Re: iptables help, please? |
| Date | 2014-06-22 13:04 +0200 |
| Organization | Plouf ! |
| Message-ID | <lo6d79$1tm8$1@saria.nerim.net> (permalink) |
| References | <a3d01$53a64f4b$9440befe$5576@STARBAND.NET> <53a67d7a$0$2002$426a74cc@news.free.fr> |
Hello, Philippe Weill a écrit : > > from external to internal computers everything is closed ( NAT RULES ) Wrong. The FORWARD chain is empty and its default policy is ACCEPT so everything is allowed in both directions. NAT rules do no filtering. > from external to IPTABLES FIREWALL ( INPUT CHAIN ) only packet udp dns are authorized from dns > starband.com domain ( 200 and 201 ) I wonder why external nameservers would send DNS queries to a box acting as a router/firewall. The only reason I can imagine is that the box also runs an authoritative nameserver acting as a master for these external nameservers. But it would require that TCP port 53 is also allowed for zone transfer. > 202 and 203 seem to need modification dns are now also 148.78.254.200 and 148.78.254.201 How do you know ? >> and at the same time allow WAN UDP packets on ports >> 5198 and 5199 to be forwarded to 192.168.1.50, if possible. Thank You. > > to do what you need see at the end > -A PREROUTING -i eth1 -p udp --dport 5198 -j DNAT --to 192.168.1.50 > -A PREROUTING -i eth1 -p udp --dport 5199 -j DNAT --to 192.168.1.50 In one rule : -A PREROUTING -i eth1 -p udp -m udp --dport 5198:5199 -j DNAT \ --to 192.168.1.50 or -A PREROUTING -i eth1 -p udp -m multiport --dports 5198,5199 -j DNAT \ --to 192.168.1.50
Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar
iptables help, please? gdunn <gdunn@example.com> - 2014-06-22 03:36 +0000
Re: iptables help, please? Philippe Weill <Philippe.Weill@aero.jussieu.fr> - 2014-06-22 08:54 +0200
Re: iptables help, please? Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> - 2014-06-22 13:04 +0200
Re: iptables help, please? Philippe Weill <Philippe.Weill@aero.jussieu.fr> - 2014-06-23 07:21 +0200
Re: iptables help, please? Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> - 2014-06-22 13:06 +0200
Re: iptables help, please? Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2014-06-22 15:43 +0000
csiph-web