* S. Salman Ahmed (ssahmed@pathcom.com) [010703 21:29]: > >>>>> "JB" == Jim Breton <vader@conflict.net> writes: > JB> Nope, you still have to explicitly allow the packets to be > JB> forwarded. > JB> > > Still no go. I added the following rules to my earlier firewall setup: > > iptables -t nat -A PREROUTING -i eth0 -s SomeIpAddress \ > -p tcp -d MyIpAddress --dport 22 \ > -j DNAT --to 192.168.1.2 > > iptables -A FORWARD -i eth0 -s SomeIpAddress \ > -p tcp --dport 22 -j ACCEPT add this to the 2 rules above and you should be set: iptables -A FORWARD -o eth0 -s 192.168.1.2 -d SomeIpAddress \ -p tcp --sport 22 -j ACCEPT I generally like to be as explicit as possible and include both interfaces and both addresses in my FORWARD chain, i.e. iptables -A FORWARD -i $EXT_IF -o $INT_IF -s $REMOTE_HOST -d $DMZ_HOST \ -p tcp --dport 22 -j ACCEPT iptables -A FORWARD -i $INT_IF -o $EXT_IF -s $DMZ_HOST -d $REMOTE_HOST \ -p tcp --sport 22 -j ACCEPT or, better, in place of that second rule: iptables -m state -A FORWARD -i $INT_IF -o $EXT_IF \ -s $DMZ_HOST -d $REMOTE_HOST \ -p tcp --sport 22 --state ESTABLISHED,RELATED -j ACCEPT I think by that example you'll see how these things work. See how with your current setup the remote host can send packets to the DMZ_HOST but reply packets would be dropped. You have to consider all the traffic in all directions. It would work if you change default policy to accept, but that's not a good solution. HTH, Vineet
Attachment:
pgpjzt3pE9tOZ.pgp
Description: PGP signature