Hi all Is it possible to just forward port to local computer but not give open access for that port? If I''ve understood right that this rule does give ACCESS from net to loc too: DNAT net loc:192.168.1.5 udp 7777 What I''m trying to say is that it would work so that everything that''s coming from net to that local computers port is DROPed or REJECTed if it''s not requested by local computer. About that shorewall 1.3.1 it''s great and easy to use. I''m happy that norfc1918 file is implemented now... Excellent job. :) Any help greatly appreciated -Vesa Vestman __________________________________________________ Do You Yahoo!? Everything you''ll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com
> Is it possible to just forward port to local computer > but not give open access for that port?=20 > If I''ve understood right that this rule does give > ACCESS from net to loc too: > DNAT net loc:192.168.1.5 udp 7777This DNAT rule allows Internet hosts to initiate an inbound session. If I understand your next paragraph correctly, you don''t want that.> What I''m trying to say is that it would work so that=20 > everything that''s coming from net to that local > computers port is DROPed or REJECTed if it''s not > requested by local computer.All you should need is the default stateful inspection policy and suggested minimal NAT setup (set eth0 ---- eth1, in the masq file) which will allow the internal server to initiate outbound sessions on any port and allow inbound response traffic on the same port for those sessions via stateful inspection. If you also want to limit the internal server''s outbound traffic to _only_ udp port 7777, you''ll need to add more rules. Unless you have trojan horse programs taking over your server and hitting outside machines, you probably don''t need or want to restrict outbound requests that much.
BTW, I should not have referred to your internal machine as a "server". You just called it a "local computer". Contrary to the implication of "server", I understood you to mean your local computer is _not_ intended to be a public server at all, and should not respond to requests initiated from the Internet. Sorry for any confusion I might have added with that. --------------------------------------------------------> > Is it possible to just forward port to local computer > > but not give open access for that port?=20 > > If I''ve understood right that this rule does give > > ACCESS from net to loc too: > > DNAT net loc:192.168.1.5 udp 7777 >=20 > This DNAT rule allows Internet hosts to initiate an inbound=20 > session. If I understand your next paragraph correctly, you=20 > don''t want that. >=20 > > What I''m trying to say is that it would work so that=20 > > everything that''s coming from net to that local > > computers port is DROPed or REJECTed if it''s not > > requested by local computer. >=20 > All you should need is the default stateful inspection policy=20 > and suggested minimal NAT setup (set eth0 ---- eth1, in the=20 > masq file) which will allow the internal server to initiate=20 > outbound sessions on any port and allow inbound response=20 > traffic on the same port for those sessions via stateful=20 > inspection. If you also want to limit the internal server''s=20 > outbound traffic to _only_ udp port 7777, you''ll need to add=20 > more rules. Unless you have trojan horse programs taking over=20 > your server and hitting outside machines, you probably don''t=20 > need or want to restrict outbound requests that much. > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >=20
On Tue, 4 Jun 2002, Vesa Vestman wrote:> Is it possible to just forward port to local computer > but not give open access for that port? > If I''ve understood right that this rule does give > ACCESS from net to loc too: > DNAT net loc:192.168.1.5 udp 7777 > > What I''m trying to say is that it would work so that > everything that''s coming from net to that local > computers port is DROPed or REJECTed if it''s not > requested by local computer. >What problem are you trying to solve? Normally, your local host would send a UDP request packet to a well-known port at some host on the net and that host would reply with a reply packet containing a source port = <the well-known port> and the destination port = <local port from original request>. Netfilter connection tracking together with ESTABLISHED rules (which Shorewall creates automatically) would be enough to avoid having to include any inbound rules to accomodate the reply packets. If the application that you are running follows some other convention, then either custom connection-tracking and nat modules are required for that application (FTP is a classic example) or you are going to have to use the type of port forwarding rule that you have shown above (I have such a rule to handle ICQ chat and file transfer requests).> About that shorewall 1.3.1 it''s great and easy to use. > I''m happy that norfc1918 file is implemented now... > Excellent job. :) >Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Seemingly Similar Threads
- Port forwarding on Shorewall box behind NAT ADSL router
- Norfc1918 Blocks all (even with additional rule)
- Snapshot 20030629
- All kinds of traffic from net - > dmz, nothing gets REJECTED or DROPED
- Is ProxyARP or NAT entries really neccesary for DNAT to work?