Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.security > #515
| Path | csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!news2.arglkargh.de!news.albasani.net!rt.uk.eu.org!newsfeed.xs4all.nl!newsfeed4.news.xs4all.nl!xs4all!novso.com!nerim.net!saria.nerim.net!not-for-mail |
|---|---|
| From | Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> |
| Newsgroups | comp.os.linux.security |
| Subject | Re: iptables help, please? |
| Date | Sun, 22 Jun 2014 13:04:09 +0200 |
| Organization | Plouf ! |
| Lines | 35 |
| Message-ID | <lo6d79$1tm8$1@saria.nerim.net> (permalink) |
| References | <a3d01$53a64f4b$9440befe$5576@STARBAND.NET> <53a67d7a$0$2002$426a74cc@news.free.fr> |
| Reply-To | pascal.news@plouf.fr.eu.org |
| NNTP-Posting-Host | zenith.ipv6.plouf.fr.eu.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=ISO-8859-15 |
| Content-Transfer-Encoding | 8bit |
| X-Trace | saria.nerim.net 1403435049 63176 2001:7a8:6d23:1::1 (22 Jun 2014 11:04:09 GMT) |
| X-Complaints-To | abuse@nerim.net |
| NNTP-Posting-Date | Sun, 22 Jun 2014 11:04:09 +0000 (UTC) |
| User-Agent | Thunderbird 2.0.0.21 (Windows/20090302) |
| In-Reply-To | <53a67d7a$0$2002$426a74cc@news.free.fr> |
| Xref | csiph.com comp.os.linux.security:515 |
Show key headers only | View raw
Hello, Philippe Weill a écrit : > > from external to internal computers everything is closed ( NAT RULES ) Wrong. The FORWARD chain is empty and its default policy is ACCEPT so everything is allowed in both directions. NAT rules do no filtering. > from external to IPTABLES FIREWALL ( INPUT CHAIN ) only packet udp dns are authorized from dns > starband.com domain ( 200 and 201 ) I wonder why external nameservers would send DNS queries to a box acting as a router/firewall. The only reason I can imagine is that the box also runs an authoritative nameserver acting as a master for these external nameservers. But it would require that TCP port 53 is also allowed for zone transfer. > 202 and 203 seem to need modification dns are now also 148.78.254.200 and 148.78.254.201 How do you know ? >> and at the same time allow WAN UDP packets on ports >> 5198 and 5199 to be forwarded to 192.168.1.50, if possible. Thank You. > > to do what you need see at the end > -A PREROUTING -i eth1 -p udp --dport 5198 -j DNAT --to 192.168.1.50 > -A PREROUTING -i eth1 -p udp --dport 5199 -j DNAT --to 192.168.1.50 In one rule : -A PREROUTING -i eth1 -p udp -m udp --dport 5198:5199 -j DNAT \ --to 192.168.1.50 or -A PREROUTING -i eth1 -p udp -m multiport --dports 5198,5199 -j DNAT \ --to 192.168.1.50
Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar
iptables help, please? gdunn <gdunn@example.com> - 2014-06-22 03:36 +0000
Re: iptables help, please? Philippe Weill <Philippe.Weill@aero.jussieu.fr> - 2014-06-22 08:54 +0200
Re: iptables help, please? Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> - 2014-06-22 13:04 +0200
Re: iptables help, please? Philippe Weill <Philippe.Weill@aero.jussieu.fr> - 2014-06-23 07:21 +0200
Re: iptables help, please? Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> - 2014-06-22 13:06 +0200
Re: iptables help, please? Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2014-06-22 15:43 +0000
csiph-web