Forwarding (DNAT) question
Romain Guilleret
romain.guilleret@SecurityKeepers.com
Thu, 2 Aug 2001 18:30:33 +0200
Hi,
I've setup a test firewall to forward(DNAT) all PING packets to another server:
iptables -t nat -I PREROUTING 2 -i eth2 -p icmp --icmp-type 8/0 -s 10.25.0.7 -d 10.25.1.253 -j DNAT --to-destination 10.92.1.253
iptables -I main_fwd 12 -i eth2 -o eth3 -p icmp --icmp-type 8/0 -m state --state NEW -s 10.25.0.7 -d 10.92.1.253 -j ACCEPT
iptables -I main_fwd 14 -i eth3 -o eth2 -p icmp --icmp-type 0/0 -m state --state ESTABLISHED -s 10.92.1.253 -d 10.25.0.7 -j ACCEPT
10.25.0.7 is a workstation.
10.25.1.253 is the address of the firewall on the workstation network.
10.92.1.253 is the server.
These rules work. PING packets from the workstation are DNATed to the server.
Now, the problem is the rules also allow me to ping directly the address 10.92.1.253 from the workstation.
How can I block pings from the workstation to the server and allow
only DNATed pings to pass the firewall ?
Where am I wrong ?
Please CC to me as I'm not (yet) subscribed to the list.
TIA
Romain Guilleret