Question on iptables and forwarding inward

Jeff Kinz jkinz at kinz.org
Sat Sep 10 13:56:01 EDT 2005


Hi Star, please don't top-post, it makes it harder to understand what
you are saying:  For example what are you referring to below when you
say "Thats the hope"?  (yes, I can guess this time, but the
reason for the time honored tradition of bottom posting is that it
produces a more understandable and more condensed dialog stream).

On Sat, Sep 10, 2005 at 01:22:16PM -0400, Star wrote:
> That's the hope, yes, as I do run a couple of other services (smtp, http(s)) 
> via port forwarding.
>>>>MOVED TO INDICATE what I think You're replying to.

> On 9/10/05, Jeff Kinz <jkinz at kinz.org> wrote:
> > On Sat, Sep 10, 2005 at 12:09:31PM -0400, Star wrote:
> > > I've got a server sitting inside my firewall (netfilter/iptables)
> > and I need > to make it completely accessible to clients coming from
> > specific subnets. > I've used iptables for NATing and other uses
> > from the inside out, but not > for coming outside in, and since it's
> > a windows box, I'd like to limit it so > that it only a couple of
> > known networks can get access to it. Port > forwarding it ~doable~
> > but with all the services, I'm hoping to avoid a > chain that long.


> > OK, win server sitting inside (behind) an iptables firewall
> > 
> > Allow some external (outside) network address ranges(subnets)
> > to have "some" access to the win server?

> That's the hope, yes, as I do run a couple of other services (smtp, http(s)) 
> via port forwarding.

Star: the next two paragraphs are what I think is a solution to your
goals.  Do you need more specific examples?

> > You use net masks on the INPUT chain to specify "ACCEPT" on
> > the net address ranges you want to let in, and you can even specify port
> > ranges (which map to services) to further refine the access.
> > 
> > My assumption here is that all other traffic is to be either rejected
> > or sent to some other system on the internal LAN?

-- 
speech recognition software was used in the composition of this e-mail
Jeff Kinz, Emergent Research, Hudson, MA.
¡Ya no mas!



More information about the gnhlug-discuss mailing list