[lug] iptables

Tue May 21 21:43:40 MDT 2002

so your telling me that iptables would never dnat any traffic to my firewall
from the internet to the private ip associated with the firewall unless i 
wrote
a rule in prerouting. And my dameons will take request from either because 
they are not bound to a specfic ip?

Please Help,
jd

>From: "D. Stimits" <stimits at idcomm.com>
>Reply-To: lug at lug.boulder.co.us
>To: lug at lug.boulder.co.us
>Subject: Re: [lug] iptables
>Date: Tue, 21 May 2002 21:18:31 -0600
>MIME-Version: 1.0
>Received: from [66.54.152.73] by hotmail.com (3.2) with ESMTP id 
>MHotMailBEB45933002B400437094236984911010; Tue, 21 May 2002 20:19:15 -0700
>Received: (qmail 12887 invoked by uid 0); 22 May 2002 03:18:07 -0000
>Received: from localhost (HELO community.tummy.com) 
>(?EDYYlkfM4St8CgbFKT1lSqUTel7P0TEW?@127.0.0.1)  by localhost with SMTP; 22 
>May 2002 03:18:03 -0000
>Received: (qmail 12819 invoked by alias); 22 May 2002 03:17:03 -0000
>Received: (qmail 12816 invoked by uid 0); 22 May 2002 03:17:03 -0000
>Received: from mailhost.idcomm.com (207.40.196.14)  by community.tummy.com 
>with SMTP; 22 May 2002 03:17:02 -0000
>Received: from idcomm.com 
>(IDENT:NPhKdeLjRGVhnE+ZiOZ3aPERBxrA5/ze at tnt01-ppp-251.idcomm.com 
>[216.98.194.251])by mailhost.idcomm.com (8.10.2/8.10.0) with ESMTP id 
>g4M3HqK18501for <lug at lug.boulder.co.us>; Tue, 21 May 2002 21:17:52 -0600
>From lug-admin at lug.boulder.co.us Tue, 21 May 2002 20:21:10 -0700
>Return-Path: <alias-blug_dom-lug-owner at lug.boulder.co.us>
>Delivered-To: mailman-lists.lug.boulder.co.us-lug at lists.lug.boulder.co.us
>Delivered-To: alias-blug_dom-lug at lug.boulder.co.us
>Message-ID: <3CEB0E07.2529401D at idcomm.com>
>X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.6-pre1-xfs-4 i686)
>X-Accept-Language: en
>References: <F246Nq6pcgv9PCnafiz00005b15 at hotmail.com>
>Sender: lug-admin at lug.boulder.co.us
>Errors-To: lug-admin at lug.boulder.co.us
>X-BeenThere: lug at lug.boulder.co.us
>X-Mailman-Version: 2.0.8
>Precedence: bulk
>X-Reply-To: stimits at idcomm.com
>List-Help: <mailto:lug-request at lug.boulder.co.us?subject=help>
>List-Post: <mailto:lug at lug.boulder.co.us>
>List-Subscribe: 
><http://lists.lug.boulder.co.us/mailman/listinfo/lug>,<mailto:lug-request at lug.boulder.co.us?subject=subscribe>
>List-Id: Boulder (Colorado) Linux Users Group -- General Mailing List 
><lug.lug.boulder.co.us>
>List-Unsubscribe: 
><http://lists.lug.boulder.co.us/mailman/listinfo/lug>,<mailto:lug-request at lug.boulder.co.us?subject=unsubscribe>
>List-Archive: <http://lists.lug.boulder.co.us/pipermail/lug/>
>
>j davis wrote:
> >
> > Hi,
> > so if a request is made to the public interface of my firewall is
> > the request processed as the public IP or the private IP for the 
>firewall.
> >
> > example :
> >
> > I want to block telnet access to my firewall from the internet. I write
> > rules
> > in the INPUT chain to do this.Would i write the rule blocking telnet 
>using
> > the public or private interface
> >
> > /sbin/iptables -A INPUT -i eth0 -d 10.0.0.1 -p tcp --dport 23 -j DROP
> >
> >                       or
> >
> > /sbin/iptables -A INPUT -i eth0 -d $MY_PUB_IP -p tcp --dport 23 -j DROP
> >
> > Thanks
> > jd
>
>What is the routeable IP visible to the world? That is the IP you block.
>Anything arriving from the outside that is pointed at a non-routable
>10.x.x.x IP should be considered hostile and summarily banned; if
>something on the inside is supposed to receive the packet via
>masquerade, then it will not know about the non-routeable IP, it will be
>up to the kernel to put it to the right IP/port.
>
>D. Stimits, stimits at idcomm.com
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com