[Firewall] Self-connect possible?

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Fri Mar 19 08:37:25 CET 2010


Nope, it's not opened to the internet, as long as you don't add the 
ports to eg. OPEN_TCP. The reason is that the connected is "routed" via 
the PREROUTING chain not the INPUT chain...

a.

Roland Haeder wrote:
> On Thu, 2010-03-18 at 18:05 +0100, Arno van Amersfoort wrote:
>> You can also use the DNAT plugin to fix this....
> But then my whole box is opened to the Internet, right? I would prefer
> the more restrict approach with bandwidth limitation (traffic shaper)
> because of my ADSL link.
> 
> BTW: Here is my shaper config:
> ======================================================
> #
> ------------------------------------------------------------------------------
> #           -= Arno's iptables firewall - Traffic-Shaper plugin =-
> #
> ------------------------------------------------------------------------------
> 
> # To actually enable this plugin make ENABLED=1:
> #
> ------------------------------------------------------------------------------
> ENABLED=0
> 
> # The next three parameters need to be configured.  The rest can be used
> # as is, unless you have particular requirements.  (These should be
> globals)
> #
> ------------------------------------------------------------------------------
> DOWNLINK=800
> UPLINK=64
> 
> # Specify qdisc type: htb (default) or hfsc
> SHAPER_TYPE="htb"
> 
> # Most users can leave the port classification as is.  The notation
> signifies
> # the destination port on *outbound* traffic.  Ports are prefixed by 'u'
> for
> # UDP and 't' for TCP.  Ranges are given as 5060:5064.
> #
> # Additionally, UDP packets tagged with DSCP classes EF, CS3, AF21 and
> AF31
> # will be automatically placed with the proper priority.
> #
> ------------------------------------------------------------------------------
> 
> SHAPER_STREAMINGMEDIA_PORTS="u4569 u1720 u1731 t25 t110 t8080"
> 
> # t80 t443
> SHAPER_INTERACTIVE_PORTS="u53 t22 u1194 t3389 u5060:5064 t5900 t6418"
> 
> SHAPER_BULKDATA_PORTS="t20 t21 t137:139 u137:139 t143 t465 t515 t993"
> ======================================================
> I disabled it because the connection got very slow (e.g. to port
> 80/443). I would like to have good "performance" on receiving data on
> port 8080 (forwarded to 192.168.1.17) and still have good out-going
> traffic to port 80/443 because of YaCy is a search engine (with
> crawler).
> 
> Roland
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl


More information about the Firewall mailing list