According to my reading of the iptables tutorial (linuxsecurity.com), it only has a forward rule like this: iptables -A FORWARD -i $LAN_IFACE -j ACCEPT The other forward rule allows ESTABLISHED,RELATED packets which I think take care of return packets from servers: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of doggy > Sent: Wednesday, April 24, 2002 1:46 PM > To: '[EMAIL PROTECTED]' > Subject: Forward Rule/nat > > > hi, > > > I want to know wheater it is possible to nat a packet from > the lan to the > internet without putting a rule in the forward chain. > because always before I do a nat I need to do a forward rule > which allow to > forward the packet. > > > > iptables -F > iptables --table nat -F > > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > > #6665 > iptables -A FORWARD --in-interface eth0 --out-interface ppp0 > --protocol tcp > --source $LAN --destination ! $LAN --sport $HIGHPORTS > --dport 6665 -j > ACCEPT > > > # Do I really need this rule ?? > # Or can a Attacker get with this rule into my lan with > source port 6665 ? iptables -A FORWARD --in-interface ppp0 > --out-interface eth0 --protocol tcp > --source ! $LAN --destination $LAN --sport 6665 --dport > $HIGHPORTS -j > ACCEPT > > > iptables --table nat -A POSTROUTING --out-interface ppp0 > --protocol tcp > --source $LAN --destination ! $LAN --sport $HIGHPORTS > --dport 6665 -j SNAT > --to $IFIP_ppp0 > > > Thanks for reading this and sorry for my bad english > > > sebastian > > > > > >
