Question on iptables and forwarding inward
Jeff Kinz
jkinz at kinz.org
Sat Sep 10 13:56:01 EDT 2005
Hi Star, please don't top-post, it makes it harder to understand what
you are saying: For example what are you referring to below when you
say "Thats the hope"? (yes, I can guess this time, but the
reason for the time honored tradition of bottom posting is that it
produces a more understandable and more condensed dialog stream).
On Sat, Sep 10, 2005 at 01:22:16PM -0400, Star wrote:
> That's the hope, yes, as I do run a couple of other services (smtp, http(s))
> via port forwarding.
>>>>MOVED TO INDICATE what I think You're replying to.
> On 9/10/05, Jeff Kinz <jkinz at kinz.org> wrote:
> > On Sat, Sep 10, 2005 at 12:09:31PM -0400, Star wrote:
> > > I've got a server sitting inside my firewall (netfilter/iptables)
> > and I need > to make it completely accessible to clients coming from
> > specific subnets. > I've used iptables for NATing and other uses
> > from the inside out, but not > for coming outside in, and since it's
> > a windows box, I'd like to limit it so > that it only a couple of
> > known networks can get access to it. Port > forwarding it ~doable~
> > but with all the services, I'm hoping to avoid a > chain that long.
> > OK, win server sitting inside (behind) an iptables firewall
> >
> > Allow some external (outside) network address ranges(subnets)
> > to have "some" access to the win server?
> That's the hope, yes, as I do run a couple of other services (smtp, http(s))
> via port forwarding.
Star: the next two paragraphs are what I think is a solution to your
goals. Do you need more specific examples?
> > You use net masks on the INPUT chain to specify "ACCEPT" on
> > the net address ranges you want to let in, and you can even specify port
> > ranges (which map to services) to further refine the access.
> >
> > My assumption here is that all other traffic is to be either rejected
> > or sent to some other system on the internal LAN?
--
speech recognition software was used in the composition of this e-mail
Jeff Kinz, Emergent Research, Hudson, MA.
¡Ya no mas!
More information about the gnhlug-discuss
mailing list