i'm in the middle of switching from ipchains to iptables right now and i haven't tested my DNAT rules yet, but from what i understand, packets pass through the FORWARD chain in the filter table after the PREROUTING chain in the nat table. see the second paragraph here: http://netfilter.samba.org/documentation/HOWTO//packet-filtering-HOWTO-9.html
xn On Mon, Mar 25, 2002 at 10:46:45PM +0100, Andras GALAMBOSI wrote: > Hello all, > > sorry to disturb you with this silly question. I am sure, that it is obvius > to all list members (except me ;) > > scenario: intranet (10.10.1.x) with win clients (NT & 2k), gateway (Debian > GNU/Linux potato with kernel 2.4.18 + iptables). NAT is used for requests > from intranet to Internet. this works fine. Web & mailserver is behind the > firewall, so I needed to set up portforwarding. dnat is used for this. this > works fine. > as the webserver is an ii$, I am sure, that some firewall rules must be set > up for these two ports. The access.log shows, that is a MUST: > GET /scripts/root.exe?/c+dir HTTP/1.0 > GET /MSADC/root.exe?/c+dir HTTP/1.0 > GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 > ... so on... I'm sure, that it's just a script kiddie, but, on the other > hand, it's just m$ product. > > Q: how to set up filtering rules, if a PREROUTING dnat rule has been set up > before? the packet never comes to the INPUT. nor to the FORWARD, doesn't it? > I really do not want to set up another firewall onto that win2k server. > > > TIA, > gaan > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
