Darrick Hartman wrote: > Philip A. Prindeville wrote: > >> What I'm trying to do is this. >> >> Let's say I have some service that runs on port 101 (hypothetically). >> >> I want to continue to run it on that port internally, but I want to >> relocate it on my external interface because I'm tired of it being >> port-scanned, and it's no a particularly secure service. >> >> So I run my relocated service externally on port 10100. Internally on >> 101... and block packets sent directly to the external interface on port >> 101.... >> >> What I want to do is this. >> >> If a connection comes in for TCP/10100 on my external interface, I want >> to (a) --setmark the packet, and (b) -j DNAT --to-destination 101 on it. >> >> Then separately, if a packet is for TCP/101 and it came on my external >> interface: >> >> (a) accept it if it's marked (i.e. had been reNATted), >> (b) reject it if is isn't marked (i.e. hasn't been reNATted from TCP/10100). >> >> Simple, right? >> > > (b) is easy. Any ports that aren't explicitly opened are dropped from > the outside. Default behavior is DROP unless set otherwise. >
No, I was referring to the "MARK" module and --mark and --setmark. > (a) should be able to be handled by Arno's firewall already by > NAT_XXX_FORWARD= where XXX is TCP, UDP or IP. > > You'd use a format that looks like this: > > "101>192.168.101.1:10100" > You know, you'd think that would work... but it doesn't. > Try that. If that doesn't work, then I'd ask on Arno's firewall list. > I don't think that's that odd of a request (to make the service > accessible on XXX externally and ABC internally). > > Darrick > Really? It was a very popular thing to do on IOS routers... -Philip ------------------------------------------------------------------------------ _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.