Iptables FORWARD
12 views
Skip to first unread message
Tilghman Lesher
Oct 13, 2020, 9:17:50 AM10/13/20
to NLUG
Just a simple question that I need confirmation on.
I have an internal NAT to bridge wireless to a private Ethernet LAN.
I'm using the nat PREROUTING target to redirect high ports to certain
limited IPs behind the NAT, based upon a simple construction:
Port 10031 on the bridge redirects to ethernet 172.17.2.100 on port 631
Port 10131 redirects to 172.17.2.101 on port 631
...
Port 19931 redirects to 172.17.2.199 on port 631
etc.
I know I also need the FORWARD to allow that packet to pass through.
But if the FORWARD policy is set to ACCEPT, do I still need separate
FORWARD rules for each of the targets? Shouldn't the FORWARD policy
be what is done if no rule matches (i.e. to allow the packet through)?
--
Tilghman
I have an internal NAT to bridge wireless to a private Ethernet LAN.
I'm using the nat PREROUTING target to redirect high ports to certain
limited IPs behind the NAT, based upon a simple construction:
Port 10031 on the bridge redirects to ethernet 172.17.2.100 on port 631
Port 10131 redirects to 172.17.2.101 on port 631
...
Port 19931 redirects to 172.17.2.199 on port 631
etc.
I know I also need the FORWARD to allow that packet to pass through.
But if the FORWARD policy is set to ACCEPT, do I still need separate
FORWARD rules for each of the targets? Shouldn't the FORWARD policy
be what is done if no rule matches (i.e. to allow the packet through)?
--
Tilghman
Paul Boniol
Oct 13, 2020, 5:59:24 PM10/13/20
to NLUG
It's been a few years since I was heavily into custom iptables scripts, but I'm pretty sure the default FORWARD would apply to any packets. If it is set to ACCEPT, you shouldn't need individual rules since you're already handling them in PREROUTING, and will be ACCEPTING them, as long as nothing else about the packets needs to change.
---Paul.
--
--
You received this message because you are subscribed to the Google Groups "NLUG" group.
To post to this group, send email to nlug...@googlegroups.com
To unsubscribe from this group, send email to nlug-talk+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
---
You received this message because you are subscribed to the Google Groups "NLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nlug-talk+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CAHPkZcURny316H726ZrjOmgzpjzaOAho6NNNkAGQ1NkcXtJfSA%40mail.gmail.com.
Will Drewry
Oct 13, 2020, 8:28:58 PM10/13/20
to nlug...@googlegroups.com
Not sure if this is relevant, but I always get hung up after I set the rules on remembering to enable forwarding. E.g.,
cat /proc/sys/net/ipv4/ip_forward
should be 1. (Either echo it in, update sysctl, or whatever)
IIRC you don’t need per target rules but you will want to make sure there are no other ways for unplanned traffic to hit the forward rule.
HTH!
Will
To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/CAL9PgS1obiP6DGWryFAZ9EUtdQFFtBjNXEqQkESQGHz3_M0JvA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages