[ale] iptables question [long]
djinn
djinn at djinnspace.com
Fri Aug 17 08:51:30 EDT 2001
Currently I've got a NAT/firewall machine with (obviously) an external
interface at 4.5.6.7 and an internal interface at 10.0.0.1. It accepts
http and https requests, NATs them to appear to originate from 10.0.0.1,
and passes them to 10.0.0.2, my web server.
Two weeks ago when I was setting this up, it seemed to make perfect
sense. Now I can't for the life of me figure out why I was forcing the
packets to appear as originating from 10.0.0.1 except that that was the
only way I could figure out to serve web requests from an internal IP.
Am I correct in thinking that
a) the webserver is less safe accepting mangled packets than unmangled
ones? (in other words, no matter what comes off of 10.0.0.1, my web
server is going to accept it if it's on allowed ports...so it doesn't
matter what the header says and not mangling allows for tracking of IPs
in the log files)
b) I can redirect the port 80/443 requests to the internal interface
instead of doing NAT?
c) I'm assuming that since IP masquerading is a totally different
operation, it won't be harmed by changing from NAT to forwarding.
d) I'm *hoping* that stateful inspection of packets won't be affected
either, because a lot of my firewall setup hinges on that.
If b) is correct, how do I do that with iptables? Do I need to make any
modification to my stateful inspection rules?
Many thanks
jenn
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list