Philip A. Prindeville wrote: > Darrick Hartman wrote: >> Philip A. Prindeville wrote: >> >>> What I'm trying to do is this. >>> >>> Let's say I have some service that runs on port 101 (hypothetically). >>> >>> I want to continue to run it on that port internally, but I want to >>> relocate it on my external interface because I'm tired of it being >>> port-scanned, and it's no a particularly secure service. >>> >>> So I run my relocated service externally on port 10100. Internally on >>> 101... and block packets sent directly to the external interface on port >>> 101.... >>> >>> What I want to do is this. >>> >>> If a connection comes in for TCP/10100 on my external interface, I want >>> to (a) --setmark the packet, and (b) -j DNAT --to-destination 101 on it. >>> >>> Then separately, if a packet is for TCP/101 and it came on my external >>> interface: >>> >>> (a) accept it if it's marked (i.e. had been reNATted), >>> (b) reject it if is isn't marked (i.e. hasn't been reNATted from TCP/10100). >>> >>> Simple, right? >>> >> (b) is easy. Any ports that aren't explicitly opened are dropped from >> the outside. Default behavior is DROP unless set otherwise. >> > > No, I was referring to the "MARK" module and --mark and --setmark.
But why do you need that? > >> (a) should be able to be handled by Arno's firewall already by >> NAT_XXX_FORWARD= where XXX is TCP, UDP or IP. >> >> You'd use a format that looks like this: >> >> "101>192.168.101.1:10100" >> > > You know, you'd think that would work... but it doesn't. > > >> Try that. If that doesn't work, then I'd ask on Arno's firewall list. >> I don't think that's that odd of a request (to make the service >> accessible on XXX externally and ABC internally). >> >> Darrick >> > > Really? It was a very popular thing to do on IOS routers... Re-read what I said. In my mind it IS something that many people may want. That's why I thought it would be something beneficial to be in Arno's firewall upstream and not just a hack for this project. Darrick ------------------------------------------------------------------------------ _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
