Firewall Wizards mailing list archives
Re: IPtables + PCAnywhere
From: Ionut Boldizsar <ionut () prolinux ro>
Date: Thu, 06 May 2004 01:38:14 +0300
On Tue, 2004-05-04 at 13:35, Wellington Lopes Moraes wrote:
Hi there! I´m beginning to work with iptables and I got a big problem... I have the following situation: - A server with 2 network interfaces (eth0 and eth1) as follows: LAN_IP="192.168.0.21" LAN_IFACE="eth0" INET_IP="192.168.7.106" INET_IFACE="eth1" PCANY="192.168.0.32" (computer that have PCAnywhere). I have 1 computer in the Lan interface that has PCAnywhere installed, and I need to make sure that this computer can access and be accessed by other computers via PCAnywhere.
Your firewall ruleset is _huge_. And do not get me wrong, but this is far from being allright. First, you have a lotta drops there, and this is not the way things should be done. I would suggest you to remove all the lines with DROP target. For this you have the so called "catch-all rule", which basically is a single drop rule at the end of the ruleset. Then, you should optimize your ruleset. This means that you should move upper in the ierarchy the rules describing intense traffic, because rules are read from up to down, in order. You can save some cpu cycles by doing this. Regarding you particular question, I am not sure that you should dnat connections to that pcany host. Couldn't you just route them, and allow them in the forward chain?... In your topology, I see no reason for NAT-ing the connections. Hope this helps (a little), -- Ionut Boldizsar, CCSE+ technical manager ProVision, Security Expert Center _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IPtables + PCAnywhere Wellington Lopes Moraes (May 04)
- Re: IPtables + PCAnywhere Ionut Boldizsar (May 05)
- <Possible follow-ups>
- RE: IPtables + PCAnywhere Madsen, Villy (May 06)
- RE: IPtables + PCAnywhere Madsen, Villy (May 06)