Re: iptables & port redirects
From: Micheal Robert Zium (mrozium_at_XSPAMX-yahoo.com)
Date: 05/13/04
- Next message: Ogden Johnson III: "Re: sick chick got to see to beleave"
- Previous message: Peacekeeper: "Re: mcafee firewall exception in CPD.exe"
- In reply to: Michael: "Re: iptables & port redirects"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 13 May 2004 00:24:29 -0500
Michael wrote:
>"Micheal Robert Zium" <mrozium@XSPAMX-yahoo.com> wrote in message
>news:1100931096.41fd41d0@spam-sucks...
>>
>> What is your default FORWARD policy?
>> How are you testing your rules?
>> Is there any other rules before these that may match incoming http
>> requests?
>> What do your logs show?
>
>My default forward rule is drop
>
>yeah i have a cpl rules, my firewall script is below, any ideas greatly
>appreciated :) thanks
I'm not really sure where to begin. Let me give you an example from
one of my firewalls:
iptables -A PREROUTING -t nat -p tcp -i eth0 -d $extip --dport 80 \
-j DNAT --to 192.168.112.221:80
iptables -A FORWARD -d 192.168.112.221 -p tcp --dport 80 -j LOG \
--log-prefix "http " --log-level debug
iptables -A FORWARD -p tcp -d 192.168.112.221 --dport 80 -j ACCEPT
You also need a final drop rule for your forward chain, and log those
hits. Then, by testing with an external (not on your LAN or firewall)
host, you can tell what is and isn't working. You can even "cheat" a
bit by using a so-called online security scanner that probes port 80.
I hope you don't get offended, but IMHO, your rules really need a
complete re-write. There are a few things that are there that
shouldn't be, and a few things you need that aren't there. I wish I
had time to help you sort it all out.
- Next message: Ogden Johnson III: "Re: sick chick got to see to beleave"
- Previous message: Peacekeeper: "Re: mcafee firewall exception in CPD.exe"
- In reply to: Michael: "Re: iptables & port redirects"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
