[ale] Firewall design

Christopher Fowler cfowler at outpostsentinel.com
Wed Jun 1 09:25:20 EDT 2005


On Wed, 2005-06-01 at 09:07, James P. Kinney III wrote:

> So you have one real IP on the firewall box and virtual IP's that are
> directly routed to the real box's private IP.
> 
> "iptables -t NAT -I PREROUTING -d <public IP> -j DNAT --to-destination
> <private IP>"
> 
> There will be no filtering at all on this.
> 
> Then add a back route:
> "iptables -t nat -I POSTROUTING -s <private IP> -j SNAT --to-source
> <public IP>"
> 
> It would be good to modify those rules by making a series of tables that
> filters out the crap before just routing all the bandwidth to the work
> machines.

Thats is an interesting idea.  Does this have any limitations?




More information about the Ale mailing list