iptables is like alchemy

Robert Moskowitz rgm at htt-consult.com
Thu Jan 3 12:56:28 UTC 2013


On 01/02/2013 06:54 PM, Alan Evans wrote:
> This is really related to iptables, not I presume Fedora-specific. But 
> I'm really hoping that somebody here will be able to school me on 
> iptables, so I don't have to find and subscribe to some other list 
> just to ask one question.

For what it is worth opinion.

When I had to maintain a Linux firewall, I used Shorewall for all these 
rule writing.  Shorewall makes sense of the iptables mess.

Now I run a commercial branch office class firewall for my network. 
Sometimes I dream of going back and rolling my own, not to put up with 
the vendor limitations...


>
> I'm faced with the problem of needing to punch a hole in a firewall on 
> our portal server so that, in our case, ssh to port 20022 on external 
> interface of that server actually just connects to port 22 on another 
> machine located in the network on the internal interface. I hope I'm 
> being clear.
>
> I've tried many iterations of iptables rules to accomplish this. The 
> closest I've come is:
>
> iptables -A PREROUTING -t nat -p tcp -s 0/0 --dport 20022 -j DNAT --to 
> 192.168.0.35:22 <http://192.168.0.35:22>
>
> And indeed connecting to port 20022 on portal just goes straight to 
> port 22 on the other (192.168.0.35) machine. The problem is, as soon 
> as I apply this rule, DNS queries (portal is also a DNS server) to the 
> external interface stop working.
>
> I've googled endlessly and found about a thousand variations by people 
> that are each supposed to solve a subtly different variation on what 
> I'm trying to do. Nothing I've tried does what I want without bad side 
> effects like I describe above.
>
> -Alan
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130103/19459282/attachment.html>


More information about the users mailing list