[Firewall] DMZ-IP

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Tue Jan 20 16:56:54 CET 2009

Lonnie Abelbeck wrote:
> Arno,
> I think I have convinced myself that NAT_FORWARD will work to forward, 
> otherwise denied traffic, to a local DMZ-IP address.
> The problem is the NAT_FORWARD variable constantly needs to be adjusted 
> when OPEN_, HOST_OPEN_ or other NAT_FORWARD_'s are changed.  This now 
> becomes a maintenance issue.
> The idea is to have a single variable, possibly:
> FORWARD_DENIED="ip.add.re.ss"
> 1) One solution is to add the iptables DNAT/ACCEPT commands for all 
> udp/tcp ports (1:65535) to FORWARD_DENIED, in the appropriate chain such 
> that any OPEN_, HOST_OPEN_ or other NAT_FORWARD_'s have already matched, 
> thereby only match the remainder.
> I don't know what chain that would be.

This doesn't work as NAT as performed in the POST/PRE-routing chains. 
Only selective NAT-ing will allow this (as I previously suggested).
> 2)  A different approach would be to create a script (plugin) that 
> calculates what are the "$remainder" ports to forward to FORWARD_DENIED 
> that are not otherwise handled on the inbound EXTIF, and then 
> automatically calculate the NAT_FORWARD...
> and for UDP as well.
> This approach may be more difficult than it looks using shell script.

This would be way better yes. But someone needs to write it, and at 
least I don't have the time nor the environment to do that at the moment...
> Lonnie



> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
Arno's (Linux IPTABLES Firewall) Homepage:

More information about the Firewall mailing list