Ross Goble a écrit :
I've got a firewall script (modded TrinityOS Firewall) that port forwards just fine with the inclusion of the following 2 lines$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d 10.121.128.98 --dport 411 -j DNAT --to 192.168.0.2:80$IPTABLES -A FORWARD -p tcp -i eth0 -d 192.168.0.4 --dport 411 -j ACCEPT
I wonder how this can work. The destination address and port in the two rules don't match each other.
DNAT to : 192.168.0.2:80 FORWARD : 192.168.0.4:411
Here's the guts of the script... echo " Clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo echo -e " - Allowing EXTERNAL access to the WWW server" echo$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $UNIVERSE --dport 80 -j ACCEPT
The INPUT default policy is already set to ACCEPT, so what's the use of this rule ? Besides, valid HTTP packets cannot be in the RELATED state but ony NEW or ESTABLISHED.
#echo echo -e " - Allowing EXTERNAL access to the FTP server" echo$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $UNIVERSE --dport 20 -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $UNIVERSE --dport 21 -j ACCEPT
Same question and comment as above. Valid FTP packets with destination port 20 cannot be in the NEW or RELATED state but only ESTABLISHED, and valid FTP packets with destination port 21 cannot be in the RELATED state but only NEW or ESTABLISHED.
echo -e " - Allowing EXTERNAL access to the SSH server" echo$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $UNIVERSE --dport 22 -j ACCEPT
Same question and comment as above. Valid SSH packets cannot be in the RELATED state.