iptables is like alchemy
Robert Moskowitz
rgm at htt-consult.com
Thu Jan 3 12:56:28 UTC 2013
On 01/02/2013 06:54 PM, Alan Evans wrote:
> This is really related to iptables, not I presume Fedora-specific. But
> I'm really hoping that somebody here will be able to school me on
> iptables, so I don't have to find and subscribe to some other list
> just to ask one question.
For what it is worth opinion.
When I had to maintain a Linux firewall, I used Shorewall for all these
rule writing. Shorewall makes sense of the iptables mess.
Now I run a commercial branch office class firewall for my network.
Sometimes I dream of going back and rolling my own, not to put up with
the vendor limitations...
>
> I'm faced with the problem of needing to punch a hole in a firewall on
> our portal server so that, in our case, ssh to port 20022 on external
> interface of that server actually just connects to port 22 on another
> machine located in the network on the internal interface. I hope I'm
> being clear.
>
> I've tried many iterations of iptables rules to accomplish this. The
> closest I've come is:
>
> iptables -A PREROUTING -t nat -p tcp -s 0/0 --dport 20022 -j DNAT --to
> 192.168.0.35:22 <http://192.168.0.35:22>
>
> And indeed connecting to port 20022 on portal just goes straight to
> port 22 on the other (192.168.0.35) machine. The problem is, as soon
> as I apply this rule, DNS queries (portal is also a DNS server) to the
> external interface stop working.
>
> I've googled endlessly and found about a thousand variations by people
> that are each supposed to solve a subtly different variation on what
> I'm trying to do. Nothing I've tried does what I want without bad side
> effects like I describe above.
>
> -Alan
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130103/19459282/attachment.html>
More information about the users
mailing list