Re: FW: DNAT SSH
- From: "nilesh vaghela" <nileshj.vaghela@xxxxxxxxx>
- Date: Thu, 31 Jan 2008 13:08:43 +0530
I think the following can work.
1. -s anywhere --dport 5000 -j DNAT --to-destination :22
-s subnet --dport 5000 -j DNAT --to-destination 22
This will do nating only only subnet.
Thanx.
FILTER INPUT chain:
2. -s subnet --dport 22 -j ACCEPT
3. all others -j REJECT
The problem is the packet arrives on 5000 and is natted to 22 correctly
(1. - all good so far),
but because its source IP is not the local subnet (defined in 2.), it is
rejected in the filter
INPUT chain (3).
So I'm think something like the following:
a. can the packet bypass the INPUT filter chain?
b. how can I identify my natted packet within the INPUT filter chain and
thus ACCEPT it?
Regards,
Geofrey Rainey.
==========================================================
For more information on the Television New Zealand Group, visit us
online at tvnz.co.nz
==========================================================
CAUTION: This e-mail and any attachment(s) contain information that
is intended to be read only by the named recipient(s). This information
is not to be used or stored by any other person and/or organisation.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subjectunsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
--
Nilesh Vaghela
ElectroMech
Redhat Channel Partner and Training Partner
74, Nalanda Complex, Satellite Rd, Ahmedabad
25, The Emperor, Fatehgunj, Baroda.
www.electromech.info
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
- Follow-Ups:
- RE: FW: DNAT SSH
- From: Geofrey Rainey
- RE: FW: DNAT SSH
- References:
- FW: DNAT SSH
- From: Geofrey Rainey
- FW: DNAT SSH
- Prev by Date: Re: Block PC using Mac address in squid
- Next by Date: RE: FW: DNAT SSH
- Previous by thread: FW: DNAT SSH
- Next by thread: RE: FW: DNAT SSH
- Index(es):
Relevant Pages
- Re: Req: info on IP range popup ad software supposedly called "Extreme Marketing"
... >> Joe Schmoe wrote: ... > exists within your own subnet that
will pass an outbound filter. ... > machine generating the packet AND the spoofed
IP are both on the same ... (comp.security.misc) - Re: Req: info on IP range popup ad software supposedly called "Extreme Marketing"
... The spam could be traced back to your subnet, ... That's more than just spoofing
addresses, ... > that will pass the filter but not point back to him. ... It's
going to see an inbound packet from the internet side ... (comp.security.misc) - ipfilter on Solaris 10
... I'm getting nowhere re-enabling ipf on my host which was recently ... I suspect
it may be due to my interface not having the ip filter module ... packet state:
kept 0 lost 0 ... (comp.unix.solaris) - Re: Windows vs Cisco
... If PIX is not asked to handle some requests at application level (such as ...
I agree that PIX has a better performance than the packet ... than the packet filter
running on a UNIX system, ... ITShield Firewall can handle more than ... (comp.security.firewalls) - RE: Capture http post request
... I have read an article at www.codeproject.com about Packet Filter ... For example
i want to block my client computer can not download or request ... Microsoft Online
Support ... (microsoft.public.dotnet.languages.vb)
