Micha Silver wrote:> Just curious:
> When I do ''shorewall show <a chain>'', some of the
rules have ''ctorigdst'' at
> the end, with an IP address. The IP is the original destination in a DNAT
> rule.
> Seems to be the same format as ''shorewall show nat'' which
gives the original
> dst as ...to:<original IP>, but without that cryptic
''ctorigdst''.
> Does it mean soemthing?
As has been often mentioned on this list, a DNAT rule generates two
Netfilter/iptables rules:
a) A DNAT rule in the ''nat'' table.
b) An ACCEPT rule in the ''filter'' table.
The ACCEPT rule is evaluated after the DNAT rule and hence has the
server''s IP address as the destination. Unless special measures are
taken, this accept rule would allow the DNAT rule to be bypassed and
people in the source zone would be able to access the server directly
(although in most cases, ''norfc1918'' could be used to prevent
such access).
If you kernel has ''connection tracking match'' support,
Shorewall
augments the ACCEPT rule as you are seeing in the iptables output (for
query commands, /sbin/shorewall is just a thin wrapper around iptables
and other standard utilities). To understand what ''ctorigdst''
does, see:
"man iptables"
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net