DNAT & multiple entries + multiple external addresses
Justin Michael
jmichael@web3.fibercitynetworks.net
Sat, 19 Jan 2002 13:56:43 -0500
On Sat, Jan 19, 2002 at 11:02:37AM -0500, Whit Blauvelt wrote:
> ACCESSIPs="xx.xx.xx.xx yy.yy.yy.yy zz.zz.zz.zz"
> PCanywherePORTs="5631 5632"
> PCA_INT="192.168.1.x"
> PUB_IP="aa.aa.aa.aa"
>
> # Forward PCAnywhere to PCA_INT
> for PCanywherePORT in $PCanywherePORTs; do
> for ACCESSIP in $ACCESSIPs; do
> iptables -t nat -A PREROUTING -p tcp -s $ACCESSIP -d $PUB_IP --dport $PCanywherePORT -j DNAT --to $PCA_INT
> iptables -t nat -A PREROUTING -p udp -s $ACCESSIP -d $PUB_IP --dport $PCanywherePORT -j DNAT --to $PCA_INT
> done
> done
My opinion is to keep the port and socket ACCEPT and DROP rules in the
FORWARD chain for security and leave the NAT rules without any protocol
specific entries (unless they are needed for sharing an external IP).
I find this makes it easier to troubleshoot problems and to maintain the
rule base.
So in this example, I'd do:
for PCanywherePORT in $PCanywherePORTs; do
for ACCESSIP in $ACCESSIPs; do
iptables -A FORWARD -p tcp -s $ACCESSIP -d $PCA_INT --dport $PCanywherePORT -j ACCEPT
iptables -A FORWARD -p udp -s $ACCESSIP -d $PCA_INT --dport $PCanywherePORT -j ACCEPT
done
done
iptables -t nat -A PREROUTING -d $PUB_IP -j DNAT --to $PCA_INT
What do the rest of you think?
--j
>
> Whit