Re: IPtables + PCAnywhere

[Ionut Boldizsar <ionut () prolinux ro>]

On Tue, 2004-05-04 at 13:35, Wellington Lopes Moraes wrote:
> Hi there! I´m beginning to work with iptables and I got a big problem...
>
> I have the following situation:
>
> - A server with 2 network interfaces (eth0 and eth1) as follows:
>
> LAN_IP="192.168.0.21"
> LAN_IFACE="eth0"
>
> INET_IP="192.168.7.106"
> INET_IFACE="eth1"
>
> PCANY="192.168.0.32" (computer that have PCAnywhere).
>
> I have 1 computer in the Lan interface that has PCAnywhere installed, and I
> need to make sure that this computer can access and be accessed by other
> computers via PCAnywhere.

Your firewall ruleset is _huge_. And do not get me wrong, but this is
far from being allright.

First, you have a lotta drops there, and this is not the way things
should be done. I would suggest you to remove all the lines with DROP
target. For this you have the so called "catch-all rule", which
basically is a single drop rule at the end of the ruleset.

Then, you should optimize your ruleset. This means that you should move
upper in the ierarchy the rules describing intense traffic, because
rules are read from up to down, in order. You can save some cpu cycles
by doing this.

Regarding you particular question, I am not sure that you should dnat
connections to that pcany host. Couldn't you just route them, and allow
them in the forward chain?... In your topology, I see no reason for
NAT-ing the connections.

Hope this helps (a little),

--
Ionut Boldizsar, CCSE+
technical manager
ProVision, Security Expert Center



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards