Confirm: letting certain packages pass through un-natted
Mariusz Kruk
kruk at rdc.pl
Mon Sep 26 11:35:02 CEST 2005
David Leangen napisał(a):
> Could somebody please confirm whether or not I'm doing this right?
>
> I am using, in my nat table:
>
> -A PREROUTING -s 192.168.0.0/16 -d 192.168.1.1 -j ACCEPT
>
> Shouldn't all packets, including ICMP packets, get passed through to
> 192.168.1.1 if originating from the local network?
Not necesarily.
Even if you pass the packet in nat table, you still might drop it in
filter table. I know the ACCEPT target may be used in every (?) table,
but it's a matter of good practice to filter packets in filter tables
and nat in nat tables and so on. So I would suggest moving this from nat
table to filter table and from PREROUTING to FORWARD.
More information about the netfilter
mailing list