Philip A. Prindeville wrote: > What I'm trying to do is this. > > Let's say I have some service that runs on port 101 (hypothetically). > > I want to continue to run it on that port internally, but I want to > relocate it on my external interface because I'm tired of it being > port-scanned, and it's no a particularly secure service. > > So I run my relocated service externally on port 10100. Internally on > 101... and block packets sent directly to the external interface on port > 101.... > > What I want to do is this. > > If a connection comes in for TCP/10100 on my external interface, I want > to (a) --setmark the packet, and (b) -j DNAT --to-destination 101 on it. > > Then separately, if a packet is for TCP/101 and it came on my external > interface: > > (a) accept it if it's marked (i.e. had been reNATted), > (b) reject it if is isn't marked (i.e. hasn't been reNATted from TCP/10100). > > Simple, right?
(b) is easy. Any ports that aren't explicitly opened are dropped from the outside. Default behavior is DROP unless set otherwise. (a) should be able to be handled by Arno's firewall already by NAT_XXX_FORWARD= where XXX is TCP, UDP or IP. You'd use a format that looks like this: "101>192.168.101.1:10100" Try that. If that doesn't work, then I'd ask on Arno's firewall list. I don't think that's that odd of a request (to make the service accessible on XXX externally and ABC internally). Darrick ------------------------------------------------------------------------------ _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
